Patch management is hard when the software being patched is supported by a major corporation with a long support window. It’s even harder when integrating numerous open source projects of various maturity. One lesson from the Equifax data breach is that failure to update your deployed application for months after the upstream project is updated can lead to dire consequences.
Even well run organizations may be able to patch within a month because of their process to update, test, and deploy. This will not be enough any longer. When asked how quickly can your organization patch, test, and deploy to production your software when an update is released, the answer had better be within minutes or an hour. This can be done with fully automated testing and continuous integration. Test driven development makes it easier to have the right kind of test coverage.
Our own Alex Piechowski recently wrote on our use of Travis CI along with automated security tests. It’s worth a read.