
In real-world terms, there’s no such thing as a perfect, bug-free piece of software. Practically every software application has some bug or other, referring to an error or fault that causes it to perform in an unexpected manner not intended by its creator. Simply put, bugs are the inevitable consequence of writing software — and the bigger and more complex the software, the more bugs it’s bound to have.
The problem, however, is when bugs tip over into vulnerabilities. The difference between a bug and a vulnerability is the difference between having a squeaky seat or loose glove box latch in your car and having a brake that won’t work at high speeds: One is a minor irritation; the other is potentially extremely dangerous. Unlike a regular bug, a vulnerability refers to a bug that can be exploited by malicious actors to inflict damage, such as gaining access to a system for spreading malware.
Software engineers do their best to get rid of bugs because they know that they annoy users, and cause a depleted user experience. They do their best to get rid of vulnerabilities because they know that failing to do so could result in major harm. Unfortunately, despite the best efforts of many conscientious coders and developers out there, the software vulnerability problem only seems to be getting worse. It’s why tools such as Web Application and API Protection (WAAP) were invented.
Feeling vulnerable
According to one report, in 2020 over 23,000 new vulnerabilities were discovered. Although one quarter of the year showed improvement over 2019, each subsequent quarter reversed this optimism; suggesting a continued trend relating to a worsening vulnerability landscape.
As computer systems are relied upon more than ever for a myriad of tasks, the potential negative repercussions that could result from vulnerabilities worsen.
The good news is that, in many cases, developers will rush to plug vulnerabilities as quickly as they can. Developers routinely introduce new, upgraded features for software, which has the dual advantage/disadvantage of offering fresh abilities for users but also adding more things that can potentially go wrong. As a result, developers keep an eye out for vulnerabilities as they emerge, and fix these as quickly as they can. Thanks to over-the-air updates, it’s now possible (even standard issue) for devs to make these updates available immediately. All users have to do is download the software update to rid their software of the potential flaw in question.
The problem worsens
All sorted then, right? Sadly, it’s not quite that straightforward. Notwithstanding zero-day flaws (newly discovered vulnerabilities that can be exploited by attackers before they’re not to developers), patched vulnerabilities still require users to install the patch in question. That’s a bit like a police officer going door to door in a neighborhood, telling residents that thieves have been breaking into houses by entering unlocked ground floor windows: It only works if you make the recommended changes based on the potential threat.
In this case, users are only protected from plugged vulnerabilities provided they have installed the software updates in question. For many security teams within organizations, the problem is that they are unable to keep up. With new vulnerabilities, of varying degrees of severity, discovered all the time, they may not have time to install patches — especially if this can impact the running of relied-upon software packages by taking them offline for a short time.
The patch problem (and solution)
Each patch for a vulnerability in an organization’s systems needs to be tested, applied, and tested to ensure that it works. According to one recent report, a majority of IT and cyber security professionals — 71 percent — reported that they found patching to be overly complicated and consuming of their time. Fifty-seven percent responding to the survey said that the trend toward remote work, which gained momentum during the pandemic, only increased the challenges in this area they were already facing. Respondents said that prioritizing and organizing responses to critical vulnerabilities took up the majority of their time, along with resolving failed patches, testing released patches, and corresponding and coordinating with other departments. In all, almost half of respondents said the patch management systems and protocols being used by their companies did not sufficiently safeguard against risk.
What is needed is a scalable vulnerability management strategy. Organizations must realize that patching is the best way to manage vulnerabilities and, while challenging, ensuring patches are up to date will reap dividends when it comes to security. However, since this can be a challenge there are additional options available.
Virtual patching by WAAP (Web Application and API Protection) solutions can help to block the attempted exploitation of unpatched vulnerabilities. Instead of having to wait for official patches to be released, tested, and installed, virtual patching exists as a set of rules that block malicious behavior from potential attackers before it becomes a problem.
Alongside measures like web application firewalls (WAFs), this can be the best possible defense against potential attacks. It’s one of the smartest investments you, as a business, can make!