How do you keep aprised of important software updates?

  1. Define the scope of what you're going to track and who's going to pay attention (here, the security folks monitor security patches for apps that have large install bases and the server and clients operation teams monitor for patches in other realms) If you don't do this, you will go absolutely batty.
  2. Watch the right lists. For security US-CERT is comprehensive, a little slow perhaps, but a good start. Vendor lists are also really useful, depending on what's in your environment and Secunia is great for general vulnerability info and ratings that track back to individual updates. Functionality patches pretty much demand that you monitor your vendors, MS has a pretty comprehensive review at The Hot Blog and the monthly non-security critical updates are in this KB.
  3. The most important thing is to have a solid patch management process, for testing, scheduling, and managing the release of patches. We're big fans of the Securosis model. Whatever you end up doing needs to fit your resources and organization.

US-CERT is ideal for this, from a security PoV.


For home use, I run Secunia PSI. It keeps track of what's installed on the machine and then alerts me when there are updates -- even gives a download link if necessary. Brilliant little app. Of course, it only works for what's actually installed on my machine and isn't licensed for corporate use...

Secunia does offer a Corporate version as well: http://secunia.com/vulnerability_scanning/corporate I haven't had a chance to check it out yet though.


For Adobe, I subscribe to their security notification service and they e-mail me when new updates are about to be released or when critical issues are found. Their Product Security Incident Response Team also has a blog that ends up in my RSS reader.

Microsoft has a similar service through their Security Bulletin Advance Notification service.