Patch management is the process of identifying, testing, and updating software applications with security fixes, bug fixes, or new features. It is an essential part of maintaining the security and functionality of any software product, especially in the cloud environment where threats are constantly evolving, and customer expectations are high.

App developers need to perform regular patching to protect the app and its users from cyberattacks that exploit known vulnerabilities in the software. These vulnerabilities can range from low to critical in terms of their potential impact and likelihood of exploitation. By assigning a risk ranking system, developers can prioritize resources effectively to help reduce the attack surface and mitigate the risk of data breaches, service disruptions, or reputational damage.

Patching helps improve the performance and reliability of the app by resolving issues that may affect its functionality or user experience. These issues can include bugs, errors, compatibility problems, or performance degradation. Patching helps ensure that the app delivers the expected results and meets customer satisfaction and retention goals.

Microsoft 365 Certification validates patch management best practices

One of the key aspects of Microsoft 365 Certification is the validation of patch management controls. App developers need to show they have a documented and effective patch management process that identifies and assesses patches that are relevant to the app and its dependencies. This includes scanning the app and its components for vulnerabilities, reviewing the available patches from the vendors or sources, and evaluating their applicability and suitability for the app.

Auditors will ensure that prioritization and scheduling of patches are based on their severity and impact, and mitigation occurs within a reasonable patching window. Patches should be ranked according to their risk level, urgency, and dependency to help determine the optimal time and frequency for applying them to the app.

Certification confirms patches are tested and verified before they are deployed into the production environment in a separate or isolated environment, verifying their functionality and compatibility, and ensuring that they do not introduce any new issues or conflicts to the application upon deployment.

The policies surrounding the decommissioning of unsupported operating systems and software will be reviewed, verifying provisions for removing software or components that pose a significant risk to the organization’s security posture in a timely manner. Reporting and auditing of patch management activities, processes, outcomes, and metrics will be inspected for compliance and improvement.

This control set is partially automated using ACAT, The App Compliance Automation Tool. ACAT is a service within the Azure portal designed to ease the path to compliance for applications using Microsoft 365 customer data and published through Partner Center. ACAT also allows continuous compliance monitoring with customized daily reports.

Next steps

To learn how Microsoft 365 Certification validates patch management best practices are in place for your application, visit the Microsoft 365 Certification patch management control evidence requirements. To start certification, go to the Microsoft Partner Center dashboard, select an app from Marketplace offers overview, and select App Compliance.