Patch Management

Remove the drama from software patching by automating the validation and configuration of your fleet.

Request Information

Conceptually, applying patches should be simple. Identify the systems that are vulnerable and patch them! In practice, however, things are rarely that straightforward. Your fleet might conceivably have thousands of vulnerabilities needing to be patched, but not all of them are high priority or even relevant. You might not know whether patching systems will break critical business applications. On top of this, you only have a small team of system administrators responsible for tens of thousands of systems. You started with a patching problem, and what you actually have is a risk management problem. And risks are not absolute. Fortunately, the Chef Automate platform can help you identify unpatched systems, prioritize them by severity, remediate them by integrating Chef Infra with best-of-breed patch databases like WSUS, and help your team visualize graphically your progress towards improving patch compliance.

Managing the risks of patching

To start patching your software effectively, it’s important to understand exactly what risks are involved, and have a plan to ensure that patches are applied safely and efficiently across your estate. The risks involved with software patching can be broadly grouped into three distinct categories:

  • The Risk of Unpatched Systems: Where is software is out of date, and what patches are available for update?
  • The Risk of Applying Patches: Will updating software negatively impact my applications?
  • The Risk of Incomplete Visibility: Have my patches been applied to every system that requires them?

With Chef Infra you have the tools to ensure you can evaluate all three of these risks, and start applying patches with confidence across your estate. First, there’s the risk of not patching. This is what drives us to implement patching workflows, so that our environments are protected from vulnerabilities and outdated software. However, it’s balanced by the opposing risk of applying patches. Whether you’re updating system libraries on a production webserver, or installing new printer drivers on your home computer, each update can come with unexpected consequences. Software updates must be evaluated, lest they impact the operation of your applications, and that takes care and planning. Finally, there remains the risk of incomplete visibility into your estate. Particularly as environments grow, organizations have more and more systems that need to be patched, and the only thing worse than not being able to apply a patch is not being able to validate whether the patch was successfully consumed by your entire fleet. While daunting, these challenges are not insurmountable! With Chef Infra you have the ability to determine where patches are required, safely apply updates in pre-production environments before promoting, and maintain visibility in the status of every server, VM, and service you’re responsible for at any time.

Chef InSpec: identify unpatched systems across your estate

Chef InSpec is a language that defines compliance as code, transforming your compliance, security, and other policy requirements into automated tests. This can include validation of regulatory compliance frameworks, functional testing of your environments, and of course, identifying systems in need of patching. Chef InSpec gives you immediate insight into the risk of unpatched systems in any environment, at any time.

Chef Inspec


With Chef InSpec, you can:

Identify Unpatched Systems. Built-in Chef InSpec profiles defining patching baselines for Linux and Windows can be used to scan your environments and learn which software packages are out of date with the push of a button.

Practice Continuous Compliance. Chef InSpec can scan systems ad-hoc for real-time feedback, or continuously so that you always know when new patches are available, or if configuration changes have impacted your overall compliance.


Scan Any System, in Any Environment. Environments managed by Chef Infra can use the audit cookbook to ensure Chef InSpec scans run whenever Chef Infra does. Chef InSpec can also scan systems agentlessly over SSH or WinRM, ensuring you can evaluate any system at any time.


Learn more about Chef InSpec

Chef Infra: the right packages on the right systems

Chef Infra is a configuration management tool that defines infrastructure as code. Just as Chef InSpec is responsible for identifying problems in your environments, Chef Infra is responsible for remediating them. Designed for dynamic, repeatable execution, Chef Infra ensures that systems are consistently configured, and that patches can be applied in any environment that needs them. More importantly, changes can be evaluated environment-by-environment, allowing you to evaluate the risk of applying patches in non-production environments before promoting them further.

Chef Infra


With Chef Infra, you can:

Integrate with Patching Tools. With resources for integrating with RedHat Subscription Manager (RHSM) or Windows Server Update Service (WSUS), you can configure and manage package repositories quickly and consistently.

Apply Updates to Environments. Chef Infra’s easy-to-learn language can be used to ensure consistent update schedules across environments, enforce configuration state to harden system security, and install one-off or critical patches as emerging vulnerabilities necessitate.


Eliminate Drift & Duplication. Chef Infra is designed to run regularly, and only takes action if systems differ from their desired state. What’s more, Chef Infra code is dynamic, and can take role, platform, or environment specific action without requiring processes be re-written for each permutation.



Learn more about Chef Infra

Chef Habitat: everything you need, nothing you don’t

Chef Habitat is open source software that creates platform-independent build artifacts and provides built-in deployment and management capabilities. As such, Chef Habitat helps you create incredibly portable, isolated applications, and also makes applying software patches much, much easier. On traditional hardware and VMs, your software runs on operating systems that have hundreds if not thousands of libraries and packages that don’t directly support your applications, but can still be a vector for vulnerabilities if left unpatched. Applications built with Chef Habitat have explicitly defined dependencies for build and run time, further decreasing the risk of applying patches by ensuring your applications contain only what they need, and nothing they don’t.


With Chef Habitat, you can:

Validate Software Versions. Chef Habitat artifacts can be run on traditional servers or natively exported to containers. Either way, running Chef Habitat applications have their dependencies dynamically linked, and can be queried via a Supervisor API to determine exactly what versions of libraries are running in each application or microservice.

Manage Diverse Requirements. On traditional systems, updates to core libraries, like glibc, can be difficult when different components of your application have differing requirements. Rather than letting the weakest link in your application stack define your patch level, each component packaged with Chef Habitat has their dependencies isolated, allowing updates to be applied everywhere they can be consumed.


Automate Application Builds. Chef Habitat allows automatic dependent rebuilds of applications. This means that if an upstream dependency is updated, Chef Habitat can automatically generate new artifacts for any contingent applications. Any non-impacting updates can then be quickly and easily promoted, and updates requiring development work can be identified and prioritized accordingly.



Learn more about Chef Habitat

Chef Automate: Always Know Exactly How your Environment is Changing

Automate supports the delivery of compelling software experiences by providing a unified view of everything you manage. As you achieve success identifying where patches are required, and applying updates to your systems, there still remains the final risk, the risk of incomplete visibility. Patching and validating a dozen systems can be quite simple, but applying the same process to hundreds or thousands can be another matter altogether. Chef InSpec, Infra, and Habitat can all assist in automating the process, but to ensure visibility into how those systems’ compliance and configuration are changing over time, Automate becomes an invaluable resource.


Chef Automate’s dashboards provide aggregated and filterable insights into your environments’ current state, as well as a full history of change over time with trend graphs and historical audit and configuration reports. Chef Automate integrates with Chef Infra’s open-source tools so that your patching scans and remediations are all tracked and audited through the Automate UI.

Automate also comes pre-loaded with with the dev-sec Patching Baseline Chef InSpec Profiles, and supports in-GUI agentless scanning, making determining your current patch level easier than ever. Also included are security benchmarks based on industry standards like CIS and DISA STIGs to ensure systems can be prioritized for hardening as well as patching, and are the first step to ensuring formal regulatory compliance.


With Chef Automate, you can ensure continuous visibility into whether and where systems need patching, and combined with Chef InSpec and Chef Infra, you can make sure that those systems stay patched regardless of how often you deploy new content or environments. Automate provides everything you need to ensure you can deploy with unparalleled speed and efficiency all without increasing the risk to the environments you manage.


Request a Demo

Learn more about Automate