There is an ever increasing cyber threat that vulnerabilities in infrastructure and software can cause serious business impact such as service outages, fraud, ransom and data loss.

One of the main ways to address this is by ensuring infrastructure and software is up to date and regularly patched as newer versions and patches address known security vulnerabilities.

While there are sound patching processes in place for operating systems and we have an annual process to review all end of life infrastructure and software components, there is a lack of patching on Middleware components.

Middleware, in the context of this project, covers the strata of software components that support the application layer. For example, this covers Application and Web server software, Software libraries and frameworks, Databases systems, Message brokers and print / file services. It excludes Operating Systems and Network components.

This project will not execute patching for all middleware components, but will review them all and establish a patching strategy for each one. Where patching can be executed very simply this will be covered by the project.

The creation of this project is driven by the need to counteract security vulnerabilities. However, it should be noted that the patching process created will cover all kinds of patches, not just those related to security.

The scope of this project is to undertake the following activities:

• Create a Middleware Patching Register. The patching register must clearly define all Middleware components in-scope.  
• Create a patching strategy for each in-scope entry on the patch register. Patching strategies may be grouped together into classes.  
• Create and/or compile a set of technical patching instructions for selected in-scope entries.  
• Execute a selection of patches.  
• Handover of patching register and associated collateral to production mgmt. Ensure the Middleware patching process is incorporated into business-as-usual production mgmt processes.

AP89-020

RfC : C1907-030