Skip to content

Application Security: Changes to Microsoft Patch Tuesday

Application Security: Changes to Microsoft Patch Tuesday

Everyone should be patching like Microsoft.

You can argue with some of the tiny details about how Microsoft schedules patches, but the elephant in the room is that nobody has thought through continuous patching better or for longer than Microsoft.

Application-security-patch_tuesday_office_forefront.jpgAll software needs to be patched.  There will always be new attacks on software, new classes of vulnerabilities, and new zero-days discovered.  The only way to handle these is to be really good and fast at patching. 

For the vast majority of software, patching is damn near impossible. Commercial products, embedded systems, cars, drones, dishwashers, televisions, etc…  It’s virtually impossible for the typical user to get and apply patches.  That’s the Achilles’ heel in the Internet of Things.  We are going to be dealing with this for decades.

Most open source doesn’t patch at all.  Instead, you just have to move on to the next version of the software.  This could involve many API changes that require recoding, retesting, and redeployment.  That’s just not feasible for many types of software.  Heck, it’s pretty close to impossible to even get notified that libraries you are using even have a problem.

The average time between a vulnerability being published and the surge of exploits is 4 days. That’s the window for patching.  We are in the Stone Age here.  We need end-to-end notification and patching across the entire software supply chain.  We simply have to make this problem easier.

Application security patches are particularly critical, and we have some alternatives here.  They might be traditional software patch with the concomitant installation and testing issues.  But security patches might also be designed to defeat the attack, rather than trying to fix the software.  This might seem like a minor difference, but using Runtime Application Self-Protection (RASP) minimizes the work required to effectively stop new vulnerabilities and attacks without requiring a complete software update.

So whatever you think about Microsoft’s recent changes, it’s clear that almost everyone else nowhere even close.  Basically, we need a “Windows Update” for everything – particularly those Internet Things we keep hearing about.

Hackers have better tools than you...

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.