Losing the Patching Game

In my last article I wrote about the need to keep systems up-to-date with the latest security patches from software vendors. This includes not only operating system patches, but patches for third party applications as well.  I have only three computers at my home and at times I find it daunting to keep up with all the patches that need to be applied on a regular basis.  And I’m a security professional with many years of system administration experience.  I imagine that the average computer user has neither the time nor the patience for such matters.  He just wants to use his computer and not worry about such mundane tasks as patch management.  Nor should he have too.

Even if we all acted responsibly and diligently scoured all the security web sites for vulnerability information and proactively installed security patches in a timely manner, we still would have systems getting compromised.  This is because the process of patching flawed software is a little like playing a game of whack-a-mole: by the time one patch is released and installed to fix a vulnerability, another vulnerability has been discovered.  And the time between vulnerability notification and exploit release has decreased dramatically over the last few years.  Estimates vary, but it is safe to say that exploits are typically available within days of the announcement of a vulnerability while it often takes weeks for patches to become available.  And this does not even take into account zero-day exploits for which no patch is available.   The end result is a never ending cycle of software updates that most home users can’t possibly manage.  For that matter, most enterprises don’t do a very good job of patch management either.

So what is the solution?  The long term answer is that software vendors need to enforce secure coding practices in their SDLC (software development life cycle).  Right now there is very little financial incentive for them to do so because we have no legal recourse to damages that occur due to vulnerable software.  If this were to change and vendors could be held legally liable for damages resulting from software vulnerabilities, manufacturers would go to much greater lengths to ensure their software was developed with proper controls in place to minimize security vulnerabilities.

In the meantime, keep applying those patches.  Install host-based firewalls and host intrusion prevention software if possible.  And vote with your pocketbook by patronizing companies with good track records of writing secure code while rejecting those that do not.

Comments are closed.