Security influencers provide real-world insight and “in-the-trenches” experiences on topics ranging from application security to DevOps and risk management


Application Security: Changes to Microsoft Patch Tuesday

Everyone should be patching like Microsoft.

You can argue with some of the tiny details about how Microsoft schedules patches, but the elephant in the room is that nobody has thought through continuous patching better or for longer than Microsoft.

Application-security-patch_tuesday_office_forefront.jpgAll software needs to be patched.  There will always be new attacks on software, new classes of vulnerabilities, and new zero-days discovered.  The only way to handle these is to be really good and fast at patching. 

For the vast majority of software, patching is damn near impossible. Commercial products, embedded systems, cars, drones, dishwashers, televisions, etc…  It’s virtually impossible for the typical user to get and apply patches.  That’s the Achilles’ heel in the Internet of Things.  We are going to be dealing with this for decades.

Most open source doesn’t patch at all.  Instead, you just have to move on to the next version of the software.  This could involve many API changes that require recoding, retesting, and redeployment.  That’s just not feasible for many types of software.  Heck, it’s pretty close to impossible to even get notified that libraries you are using even have a problem.

The average time between a vulnerability being published and the surge of exploits is 4 days. That’s the window for patching.  We are in the Stone Age here.  We need end-to-end notification and patching across the entire software supply chain.  We simply have to make this problem easier.

Application security patches are particularly critical, and we have some alternatives here.  They might be traditional software patch with the concomitant installation and testing issues.  But security patches might also be designed to defeat the attack, rather than trying to fix the software.  This might seem like a minor difference, but using Runtime Application Self-Protection (RASP) minimizes the work required to effectively stop new vulnerabilities and attacks without requiring a complete software update.

So whatever you think about Microsoft’s recent changes, it’s clear that almost everyone else nowhere even close.  Basically, we need a “Windows Update” for everything – particularly those Internet Things we keep hearing about.

Hackers have better tools than you...

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast. Previously, Jeff was co-founder and CEO of Aspect Security, a successful and innovative application security consulting company acquired by Ernst & Young. Jeff is also a founder and major contributor to OWASP, where he served as the Chair of the OWASP Board for 8 years.