Time To Rethink Patching Strategies

In 2014, the National Vulnerability Database is expected to log a record-breaking 8,000 vulnerabilities. That's 8,000 reasons to improve software quality at the outset.

Kevin E. Greene, Public Sector CTO, OpenText Cybersecurity

December 19, 2014

3 Min Read
Dark Reading logo in a gray background | Dark Reading

As of the end of November, the National Vulnerability Database (NVD) had reported more than 7,300 vulnerabilities for 2014. That's the largest number of vulnerabilities ever reported in one calendar year -- and there are still more than a few days left in 2014. By the end of December, there is a strong likelihood that the total number of vulnerabilities will surpass 8,000.

{Table 1}

This record number represents 8,000 reasons to improve the overall quality of software through better development and secure coding practices from the outset. Sure, patching helps by bolting on security after the fact, but patching only can go so far. It becomes nearly impossible for organizations to patch anywhere near 100% when you take into account zero-day vulnerabilities, manual patching, ineffective patch management solutions, the inability to patch critical systems that can't be taken offline, and other factors that impact the operations of IT system environments from heterogeneous environments all the way to the emerging new world called the "Internet of Things."

If not patching, then what?
What we need is a more proactive, modern approach to protecting IT systems. Patching or patch management has become an outdated approach for securing systems. It's outdated because the software ecosystem has evolved, and patching doesn't scale well enough to address the ubiquitous and heterogeneous nature of software. The size and complexity of software also introduces the likelihood for more vulnerabilities, which causes organizations to lose control of their software and IT systems. Unfortunately, you can't patch what you can't manage or control.

Software assurance, then, becomes a key component in proactive approaches to protecting IT systems. Software assurance provides a degree of confidence that software is free from weaknesses that can be exploitable. From a software assurance perspective, secure coding and development are viable and realistic options to address the gaps that exist with patching or patch management solutions. Secure coding and development becomes our first line of defense in securing IT systems, no matter where that system resides. Secure coding and development helps reduce the attack surface and the ways in which systems can be exploited.

Pinpoint weaknesses
The focus should shift from hunting down common vulnerability exposures (CVEs) to pinpointing common weaknesses enumerations (CWEs) that could be exploitable. The emphasis here is to rely less on patching and patch management and more on secure coding and development. The long-term net effect will not only help reduce the number of vulnerabilities over a period of time, but it will also help reduce the cost of software failures by identifying and uncovering software weaknesses early in the development process. Studies have shown that, when weaknesses are found later in the lifecycle (post-release, maintenance phases), the cost significantly increases to fix, mitigate, or remediate that weakness.

It should be noted that I'm not advocating abandoning patching strategies. However, I am encouraging organizations to put a greater emphasis on developing better quality software. This will require some organizations to formalize software assurance strategies to ensure that security is addressed early and often in the software development process.

Investing in research and development will also be needed to advance the quality of software analysis tools and technologies that developers feel confident in using. Improvements in software analysis tools in area of coverage (weakness classes and programming languages), precision and soundness, and synergies with continuous integration and software lifecycle management tools will help guide developers and improve the fidelity of software analysis capabilities.

About the Author

Kevin E. Greene

Public Sector CTO, OpenText Cybersecurity

Kevin E. Greene is a public sector expert at OpenText Cybersecurity. With more than 25 years of experience in cybersecurity, he is an experienced leader, champion, and advocate for advancing the state of art and practice around improving software security. He has been successful in leading federal funded research and development (R&D) and has a proven track record in tech transition and commercialization. Notably research from Hybrid Analysis Mapping (HAM) project was commercialized in former technologies/products by Secure Decisions’ Code Dx and Denim Group Thread Fix, which were acquired by Synopsis and Coal Fire respectively. Additional commercialization includes GrammaTech Code Sonar, KDM Analytics Blade platform and research transitioned to improve MITRE’s Common Weakness Enumeration (CWE) by incorporating architectural design issues from the Common Architectural Weakness Enumeration (CAWE) research project developed by Rochester Institute of Technology (RIT).

Prior to joining OpenText Cybersecurity, Kevin worked at the MITRE Corporation supporting DevSecOps initiatives for sponsors, Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) research under the Center for Threat Informed Defense (CTID), and high-performing contributor to MITRE’s CWE program. Kevin valued his time serving the nation as a federal employee at the Department of Homeland Security, Science and Technology Directory, Cyber Security division, where he was as program manager leading federal funded research in software security.

Kevin currently serves on the advisory board/committee for New Jersey Institute of Technology (NJIT) Cybersecurity Research Center where he holds both a Master of Science and Bachelor of Science in Information Systems; as well as Bowie State University Computer Technology department and Bryant University Cybersecurity/Cloud Program external advisory boards.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights