Da Techguy's (no longer backup) Blog

The number of vulnerabilities contained within production code is growing rapidly. As a result, organizations struggle to keep up with their patch management. This inability to patch vulnerabilities poses a significant threat to website security.

Organizations must adopt a more scalable approach to patch management in order to keep up with the growth of exploitable vulnerabilities. The use of prioritized patching and virtual patching are essential to minimize an organization’s exposure to cyber risks.

 

Vulnerability Numbers are Growing Rapidly

Software is written by human beings, and humans make mistakes. As a result, it should come as no surprise that software contains bugs. While some of these software errors are minor and have little or no impact on the software’s operations, this is not true of all of them. Some bugs are vulnerabilities that can be exploited by a malicious user to force the software to take actions not anticipated, intended, or desired by the software’s developer.

Over time, the number of these vulnerabilities that are discovered in production software are growing rapidly. In 2019 alone, 22,316 new vulnerabilities were discovered and publicly disclosed. Of these, over a third had a Common Vulnerability Scoring System (CVSS) v2 score of 7 or above, meaning that they are labeled as high severity.

Organizations Cannot Keep Up

As the number of software vulnerabilities grows, organizations can no longer keep up with their patching requirements (if they ever could). With over 22,000 new vulnerabilities discovered in 2019, over 60 new vulnerabilities are reported each day on average.

Not every newly discovered vulnerability will impact an organization since it will not be running every affected piece of software. However, determining if the organization is affected by any of the day’s 60 vulnerabilities and addressing the fraction that are relevant can create a significant burden for an organization.

For many organizations, patching a vulnerability is not as simple as allowing the update to run on every employee’s workstation. Several factors can affect the update process, including:

• Vulnerability Location: If a vulnerability exists in production code, then addressing the issue could require a new software release. The new code must be created and fully tested before being deployed to production.
• Patch Compatibility: Any software update may include deprecating some functionality provided by a program. If an organization’s existing software depends upon deprecated functionality, then applying a security patch may require a potentially expensive and time-consuming rewrite of the software.
• System Stability: For organizations with high availability requirements, such as critical infrastructure, it is essential to ensure that a patch does not break any critical functionality. This requires extensive validation in a realistic test environment.

Not every vulnerability that exists within an organization’s systems or the software that it uses has these issues. However, every software update carries some overhead, no matter how small, and applying some updates requires significant time and resources. As the number of vulnerabilities to be addressed grows, organizations can quickly and easily fall behind in their patching processes.

Prioritized Patching is Essential

With the rapid growth of vulnerabilities, organizations cannot keep up and need to find a way to effectively manage their cyber risk. Patching every vulnerability is difficult or impossible, so vulnerabilities should be patched based upon the risk that they pose to the organization.

The risk associated with a vulnerability is usually quantified based upon two factors. These are the probability that the vulnerability will be exploited and the impact if an exploit occurs. The impact part of this equation is readily available for any vulnerability. The CVSS scoring system labels vulnerability severity as low, medium, or high in version 2 and low, medium, high, or critical in version 3.

The probability of exploitation can be more difficult to determine. Not all vulnerabilities are actively exploited by cybercriminals, meaning that a “critical” vulnerability on the CVSS scale may pose little or no real-world risk to an organization. Of the over 22,000 vulnerabilities disclosed in 2019, 37% of them had known exploit code or a Proof of Concept that would make it easy to develop a workable attack. Prioritizing these vulnerabilities in patching would be a good idea.

However, even more detailed information is available regarding the risk of certain vulnerabilities. In May 2020, the FBI and DHS CISA published a list of the top ten most exploited vulnerabilities over the last four years. This report indicated that cybercriminals commonly target Microsoft Office products, Apache Struts, and vulnerabilities within VPN products. Prioritizing these particular vulnerabilities – and generally any vulnerability in these types of software – enables an organization to dramatically decrease its risk of exploitation.

A Scalable Solution to Vulnerability Management

The problem with even a prioritized approach to vulnerability patching is that it is not a scalable or perfect solution to the problem. As the number of vulnerabilities in production software grows, organizations will be increasingly unable to keep up.

Virtual patching, a function offered by web application firewalls (WAFs) and runtime application self-protection (RASP), is a potential solution to this problem. Rather than applying patches to vulnerable applications, virtual patching trains the WAF or RASP solution to identify and block attempts to exploit the vulnerability. Since a virtual patching solution’s list of vulnerabilities is easier to update than the applications containing these vulnerabilities, this provides a more scalable solution to organizations’ vulnerability management problem.