Web app security patches: Closing the risk window

Web application vendors are taking, on average, 11 days to provide critical fixes. Davey Winder thinks that's still too long...

Barry Shteiman, director of security strategy at Imperva, thinks that there's a missing piece in the number puzzle. He thinks there's a link between a two-week fix window to the actual vulnerability and the threat opportunity around it. "A vulnerability being fixed in 14 days only exposes the fact that the vendor has been notified and fixed the code," he says. "It does not cover the time of exposure, which is the critical path here."

Indeed, looking at the annual report from WhiteHat Security from 2013, it's possible to  see a completely different picture. "Last year Imperva and WhiteHat  conducted a mutual effort to realise what the exposure factor is" Shteiman told IT Pro, continuing "we took WhiteHat's number which describes a full window from discovery of the vulnerability, until the fix has actually been applied (a totally different number than just the time it takes the vendor to patch) and the number is 224 days on average."

In order to match the window of exposure vs. hackers, Imperva looked at attack data and found that each application in its Security operations Centre gets attacked on average 176 days out of a 6 months period, which is 98 per cent of the time! These results show that even while customers are patching their applications in a timely fashion, hackers still have the opportunity to try and get in. If an attack happens on average every quarter and less than 60 per cent of that time you are vulnerable, the chances of a breach are huge. "To answer the original question on time-to-patch" Shteiman concludes "I don't believe that the market is there yet with the understanding of what patching really means. This is because patches are either unavailable in a timely manner and/or customers don't know that they are vulnerable to begin with and therefore don't necessarily know of the need for a patch."

What can be done then, to shorten this time-to-patch average and help mitigate the lack of understanding the problem? Traditionally there are two orthogonal measures of resilience: mean time to failure (MTTF) and mean time to repair (MTTR), and patching falls squarely in the mean time to repair category.

"If we lengthen the MTTF by building better quality software in the first place, we end up waiting on the MTTR less," explains Paco Hope, principal consultant at Cigital. "Otherwise, software vendors must build massive regression testing environments and have lots of people ready to drop what they're doing and regression test a proposed fix." That's expensive spare capacity and, the reality of the situation is, we like our software cheap.

Featured Resources

How to be an MSP: Seven steps to success

Building your business from the ground up

Download now

The smart buyer’s guide to flash

Find out whether flash storage is right for your business

Download now

How MSPs build outperforming sales teams

The definitive guide to sales

Download now

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

Recommended

Cisco to acquire threat intelligence provider Kenna Security
Acquisition

Cisco to acquire threat intelligence provider Kenna Security

14 May 2021
What is the Computer Misuse Act?
Policy & legislation

What is the Computer Misuse Act?

14 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
What’s next for the education sector?
Whitepaper

What’s next for the education sector?

14 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021