Security patch culture 'fundamentally flawed' as experts call for change

Frequent security updates and a patch-as-you-go approach to software flaws have led a number of security experts to question whether the problem needs a fresh approach.

Microsoft, Adobe and Oracle unveiled over 200 updates in October alone, many marked critical, backing up the notion that security patches are now an inevitable reality for the industry.

Fraser Kyne, principal systems engineer at security firm Bromium, told V3 that the current approach is "akin to putting a sticking plaster over a gaping wound".

"Patching itself is fundamentally flawed. It's always reactive, you can only patch for known issues, it's expensive and it's time consuming. Many organisations even find themselves in the position where they can't patch as it would break their line of business apps," he said, noting how entrenched the problem has become.

"There are some unsolvable factors at play here: developers are fallible, users are gullible, and attackers are resourceful. More code simply means more vulnerabilities, and the rewards for exploiting these vulnerabilities are clear."

The commercial problem
As with every industry, commercial interests often collide with innovation. Richard Cassidy, EMEA technical director at Alert Logic, warned that this is a major problem facing the industry today.

"Vendors are locked into the innovation battle, with consumer demands for better, faster and more capable applications, seeing code releases at an astonishing rate," he told V3.

This pace of innovation has an "inevitable" outcome: software vulnerabilities.

"Historically, developers will work to best practice coding from a security perspective, but all too often project deadlines and production demands will mean that the focus needed in the area of security often suffers," he said.

Cassidy believes that patch management needs to evolve past its current "antiquated" state and that organisations must start thinking about other options.

"In addition to an updated, agile patch management process, organisations need to implement better tools to identify when their own infrastructure is being subject to an undiscovered vulnerability so that they can respond immediately and ultimately reduce the window of opportunity provided to attackers," he told V3.

Yet as fast as a business can respond it is well-known that the exploitation of security vulnerabilities is now a lucrative business for cyber criminals, meaning there is a huge community of vulnerability-sharing taking place.

Bharat Mistry, cyber security consultant at Trend Micro, told V3 this has become so big because the value of these exploits can be huge.

"One of the reasons why we are seeing so many patches is that there is a big underground community that trades in vulnerabilities and exploits, especially the new zero-days such as the recent Adobe flash vulnerabilities," he said.

"For the discovering party it is seen as potentially easy money with relatively low cost of entry. And when you do find a new zero-day it can be sold for a significant amount of money. This has attracted significant numbers of people to look into this marketplace."

These marketplaces, often underground and held on websites on the so-called dark web, act as a sort of eBay for hackers to buy and sell sophisticated zero-day vulnerabilities, malware and even denial-of-service tools.

It's not just the odd hacker doing this either. A breach at Italian surveillance firm Hacking Team led to the discovery of major security vulnerabilities in software such as Flash and Windows that the company used to make its tools work.

The evolution of bug bounties

However, a rise in patches could be seen as a positive, as it shows more focus is being placed on the software businesses rely on.

Indeed, the use of bug bounties, the process of paying a reward for reporting a major flaw, has had a direct effect on the number of flaws being discovered.

Chris Boyd, malware analyst at security firm Malwarebytes, agreed "this can only be a good thing" and shows an acceptance from software vendors that problems do exist.

"It's not so long ago that security researchers were often met with silence from large organisations when attempting to report exploits and vulnerabilities, and these attitudes still surface from time to time," he said.

The consensus among industry experts is that the increase in bug reporting correlates directly with greater attention being paid to the coverage of security flaws.

Mark James, IT security specialist at ESET, told V3 that the money paid for bug reports in the first half of 2015 was more than double that of last year.

This in itself appears to show that the process is being increasingly relied on by software organisations under pressure to stay ahead of online threats.

"This has to have an impact on the amount of professionals testing and finding bugs for the developers to fix. So many of these software programs have been around for years, building on patches and fixes but still using the same underlying code," James said.

"Finding issues and vulnerabilities is a very important part of software security, but fixing those problems quickly is more important."

Of course, though, a vulnerability doesn't only exist once it's found and fixed. Tim Erlin, director of security and product management at Tripwire, likens it to "a secret door in a video game".

"It's tempting to think of vulnerabilities as beginning their existence when they're publically known, but it's factually incorrect. It's always been there but you just didn't see it before," he told V3.

"More vulnerabilities being patched faster is progress, but we should be pushing to eliminate vulnerabilities in the software development lifecycle as well. Unfortunately, data about vulnerabilities that are never released isn't generally public."

The future is patchy
Like the future of online security in general, no-one is able to predict with 100 percent certainty where the industry will go. Yet the security experts questioned by V3 are all in agreement that something has to give.

"The only way to combat this is to encourage software developers to adopt a secure software development lifecycle approach to code development," said Mistry from Trend Micro.

"The process would ensure that developers are taught secure coding practices, and that code is tested at all stages in the development lifecycle. The advantage of this approach is that bugs can be caught very early in development and fixed prior to production release."

Yet it's not all bad news for regular users of vulnerable software such as Flash and Windows. And as security expert and blogger Graham Cluley told V3, at least the patches are coming out - something that other platforms still struggle to do.

"There are some operating systems, the most obvious example is Android, where even when vulnerabilities are found, many users have found it impossible to get their hands on a patch because of an unwillingness by manufacturers and carriers to push it out," he said.

"Although it must be tiring for many computer users to feel like they are constantly updating software with patches, at least you are getting patches."

Cluley also said that, despite having a rough time of late, the security of Adobe and Microsoft products has improved in recent years, but he too is dubious they'll be any major change to the culture of patching in the years ahead.

"They are complicated pieces of software, and there are resourceful actors who are keen to find flaws in popular pieces of software in order to compromise computers and attack targets," he explained.

"The best solution to the problem of constant patching is, of course, to write more secure software in the first place. But programmers are human and humans make mistakes."

So security updates seem like they are here to stay, at least until the very foundation of software security can be reinforced from the ground up.

But at least if a problem does arise, the message is clear: there's a patch for that.

• Tweet  
• Facebook  
•  
•  
• Save this article  
• Send to  

• Topics
• Security
• Operating Systems
• security patches
• cyber-crime
• Trend Micro