Automated Software Patch Management Solutions

Remove the drama from OS patching and minimize security risks with fully-automated patch management and validation from Chef.


The Challenges and Risks of Unpatched Systems

Conceptually, applying patches should be simple. Identify the systems that are vulnerable and patch them. But without a comprehensive and automated approach to patch management it is far from simple. Your fleet might conceivably have thousands of vulnerabilities needing to be patched, but not all of them are high priority or even relevant. You might not know whether patching systems will break critical business applications. On top of this, you only have a small team of system administrators responsible for tens of thousands of systems. You started with a OS patching problem, and what you actually have is a risk management problem. And risks are not absolute.

Software Patch Management Just Another Event in Continuous Delivery

The key to implementing a scalable patch management and validation solution is treating patching updates like any other event that is automated as part of a continuous delivery pipeline. Chef enables clients to automate system patching as part of CI/CD pipelines by providing the tools and best practices ops teams need to prioritize, test, run and validate patches consistently across Windows, Mac and Linux devices both on-premises and in the cloud.

Benefits of Chef’s Approach to OS Patch Management


Operations teams spend 90% less time packaging and delivering patches.


Downtime is eliminated and App teams self-manage patch events as part of automated pipelines.

Business Assurance

Compliance teams can view the status and validate systems in real-time across their entire IT estate.

Our Fully-Automated Software Patch Management and Validation Solutions

With Chef you get continuous visibility into what systems need patching and assurance that systems stay patched regardless of how often you deploy new content or environments. Chef provides everything you need to ensure you can deliver system and application changes with unparalleled speed while minimizing the risks of unpatched systems in your environment.

Identify: Understand the Risks

Chef gives you immediate insight into the risk of unpatched systems in any environment, at any time. Built-in profiles defining patching baselines for Linux, Mac and Windows can be used to scan your environments and learn which systems have out of date OSs.

Prioritize: Maximize Efforts to Minimize Risks

Chef comes pre-loaded with patching baseline profiles and supports in-GUI agentless scanning, making determining your current patch level easier than ever. Also included are security benchmarks based on industry standards like CIS and DISA STIGs to ensure systems can be prioritized for hardening as well as patching and are the first step to ensuring formal regulatory compliance.

Integrate: Scale Across all System

Chef provides resources for integrating with RedHat Subscription Manager (RHSM) or Windows Server Update Service (WSUS). You can configure and manage package repositories quickly and consistently.

Integrate with tools like Jenkins to treat patching just like any other continuous delivery event and auto-feed notifications into systems like ServiceNow and Slack to create fully automated workstreams.

Remediate: Reduce the Risks of Applying Patches

With Chef you have the ability to determine where patches are required, safely apply and test updates in pre-production environments before promoting, and maintain visibility in the status of every server, VM, and service you’re responsible for at any time.

Using flexible deployment policies, you can not only select the deployment window but create patching policies as well. This patch management policy provides access to multiple deployment settings to help you decide when to deploy a server patch and how.

Validate: Achieve 100% Compliance

Ensure continuous visibility into the status of systems being patched with real-time dashboards and make sure that those systems stay patched regardless of how often you deploy new content or environments. With Chef you get everything you need to ensure you can deploy with unparalleled speed and efficiency all without increasing the risk to the environments you manage.

Manage Application Updates the Same Way

In addition to the challenges ops teams face managing OS patches teams responsible for application updates must deal with the additional challenge of application dependency and packaging. Older applications many times have a number of runtime dependencies with the underlying operating system and newer applications are interwoven with the older applications. Without proper dependency mapping and exhaustive testing it is many times impossible to know what the impact of a system update or patch maybe.

Chef Habitat was developed to help Application Delivery teams overcome these challenges. Using Chef Habitat teams package each dependency as an atomic unit that is independent of the underlying infrastructure and OS. Packages are then tested in a clean room ensuring what is built and tested in development is what is delivered in production.

Recommended Content

Web Page


Windows Application Automation

Explore Windows Application Automation


Chef EAS

Explore Chef EAS

White paper

Chef Infra 16 Product Guide

Read White Paper