SCUP Catalogs vs. Software Vulnerability Manager

Systems Center Updates Publisher (SCUP) has been around with limited success since 2011, but is getting the spotlight thanks to integration in the latest releases of System Center Configuration Manager (SCCM). It allows you to push patches right from within SCCM, but with many limitations:

  • It requires a SCUP catalog. Adobe has one and so do some hardware vendors, but Microsoft is not in the business of providing any third-party patch content and has no intentions of doing so.
  • There is no criticality or other data on which to prioritize your patching efforts
  • Patches cannot be customized (suppressing reboots, disabling automatic updates, etc.)
  • It does not distinguish between feature and security updates
  • More importantly, it does not provide insight into anything not listed in the catalog

If you have a catalog of 50 applications that match your needs and manage to get them all patched, you are left with a very false sense of security because you do not know about anything else. On the contrary, Software Vulnerability Manager offers the ability to detect over 20,000 applications and and helps you measure your device’s vulnerability status against them all.

Free SCUP catalogs will not get you more than a handful of patches that overlap with your organization’s software portfolio. If you pay for a third-party SCUP catalog, you can get more but it will never be more than a small fraction of the applications that affect your environment. Software Vulnerability Manager for example, provides dozens of out-of-the-box, tested and easily configurable patches but does not expose them via SCUP due to the many limitations listed above.

It can be compelling to think you might just get out of having to create your own patches if only you had a big catalog. If you are willing to live with the inability to customize such patches, you can indeed get to a place where you may create less packages. But there simply isn’t such a thing as a patch catalog that will provide enough coverage to get you out of creating patches of your own. Flexera offers the industry leading AdminStudio solution to help you create custom patches quickly, easily and with the least amount of risk.

The key issue with the catalog approach is that the catalog is all you know about– you only get awareness of your patch status against what is in the catalog. Without a comprehensive solution like Software Vulnerability Manager, getting insight into what applications need to be patched can be an insurmountable challenge. Having access to a database several times larger than the largest catalog with details about the vulnerabilities in question (like attack vector or criticality rating) so you can prioritize effectively (and even automate remediation) can help you to address what is most important quickly and dramatically reduce the risk of unpatched software in your organization.

Category: General