Web app security patches: Closing the risk window
Web application vendors are taking, on average, 11 days to provide critical fixes. Davey Winder thinks that's still too long...
Barry Shteiman, director of security strategy at Imperva, thinks that there's a missing piece in the number puzzle. He thinks there's a link between a two-week fix window to the actual vulnerability and the threat opportunity around it. "A vulnerability being fixed in 14 days only exposes the fact that the vendor has been notified and fixed the code," he says. "It does not cover the time of exposure, which is the critical path here."
Indeed, looking at the annual report from WhiteHat Security from 2013, it's possible to see a completely different picture. "Last year Imperva and WhiteHat conducted a mutual effort to realise what the exposure factor is" Shteiman told IT Pro, continuing "we took WhiteHat's number which describes a full window from discovery of the vulnerability, until the fix has actually been applied (a totally different number than just the time it takes the vendor to patch) and the number is 224 days on average."
In order to match the window of exposure vs. hackers, Imperva looked at attack data and found that each application in its Security operations Centre gets attacked on average 176 days out of a 6 months period, which is 98 per cent of the time! These results show that even while customers are patching their applications in a timely fashion, hackers still have the opportunity to try and get in. If an attack happens on average every quarter and less than 60 per cent of that time you are vulnerable, the chances of a breach are huge. "To answer the original question on time-to-patch" Shteiman concludes "I don't believe that the market is there yet with the understanding of what patching really means. This is because patches are either unavailable in a timely manner and/or customers don't know that they are vulnerable to begin with and therefore don't necessarily know of the need for a patch."
What can be done then, to shorten this time-to-patch average and help mitigate the lack of understanding the problem? Traditionally there are two orthogonal measures of resilience: mean time to failure (MTTF) and mean time to repair (MTTR), and patching falls squarely in the mean time to repair category.
"If we lengthen the MTTF by building better quality software in the first place, we end up waiting on the MTTR less," explains Paco Hope, principal consultant at Cigital. "Otherwise, software vendors must build massive regression testing environments and have lots of people ready to drop what they're doing and regression test a proposed fix." That's expensive spare capacity and, the reality of the situation is, we like our software cheap.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
Davey is a three-decade veteran technology journalist specialising in cybersecurity and privacy matters and has been a Contributing Editor at PC Pro magazine since the first issue was published in 1994. He's also a Senior Contributor at Forbes, and co-founder of the Forbes Straight Talking Cyber video project that won the ‘Most Educational Content’ category at the 2021 European Cybersecurity Blogger Awards.
Davey has also picked up many other awards over the years, including the Security Serious ‘Cyber Writer of the Year’ title in 2020. As well as being the only three-time winner of the BT Security Journalist of the Year award (2006, 2008, 2010) Davey was also named BT Technology Journalist of the Year in 1996 for a forward-looking feature in PC Pro Magazine called ‘Threats to the Internet.’ In 2011 he was honoured with the Enigma Award for a lifetime contribution to IT security journalism which, thankfully, didn’t end his ongoing contributions - or his life for that matter.
You can follow Davey on Twitter @happygeek, or email him at davey@happygeek.com.