Patch First, Rollback Later

Patch some test systems within 24hrs, within 48hrs a large production sample, then everything.

I first heard of patching in single digit days from Paul Griffiths in 2011 [].

Now I’ve come across someone else who says patch first, rollback later: Sébastien Mériot. He says OVH have a strict policy to “apply patches and updates immediately when they are published on all their machines.” []

Perhaps now, with DevSecOps, everyone can make the leap – and everyone will be working for the Information Security Dept. [Image Credit: drawn live by ‘Fix’ during Orange CyberDefense#Live 2018]