Creating a No-Patch Security Cadence

A zero-patch environment is one in which we redeploy our applications with updated dependencies as part of our normal Continuous Deployment process.  This is part of You Build It - You Own It

We need to create a repeatable cadence for bringing in Operating systems, containers, application patches, and binary updates.  We can reduce some of our work by pushing as much of our workload as possible onto PaaS, serverless, and cloud services.

Three Month Cycle Example

This is a prototypical 3-month update cycle where an application is redeployed with security and bug fix updates at least every quarter.
Click to enlarge

  1. The Image team identifies required operating and container image updates.  Application teams identify CVE library updates via automated scanners.
  2. The application teams start integrating library updates.  The image team starts creating new VM and container base images with updated dependencies
  3. The development team starts testing library and configuration updates
  4. Images are available.  The development team builds applications on new images
  5. Automated and possibly manual testing is done with the updated binaries and images built on base images.
  6. Applications are deployed in production
  7. Compliance tooling starts verifying updates have been done.
  8. Out of date deployments in non-prod are torn down forcing redeployments


Created to 2022/03


Popular posts from this blog

Understanding your WSL2 RAM and swap - Changing the default 50%-25%

Installing the RNDIS driver on Windows 11 to use USB Raspberry Pi as network attached

DNS for Azure Point to Site (P2S) VPN - getting the internal IPs