Do You Play Bug Patch Game Badly?

Should IT managers patch bugs based on their severity, or based on the prevalence of the affected application in their organization?

Start with severity, according to a new white paper from vulnerability information provider Secunia, "How to Secure a Moving Target with Limited Resources." That includes Secunia's examination of what would happen if an organization patched the 10 applications with the most severe vulnerabilities, every year for the past six years.

Here's what Secunia found: "Averaged over the last six years, patching the top 10 most critical programs remediates 71% of the total risk, while patching the top 10 most prevalent programs [with bugs] remediates 31% of the risk, or 1.9 times less."

Knowing which vulnerabilities are highest risk is crucial for determining what to patch, as well as in what order. "A lot of companies, they don't patch everything," said Thomas Kristensen, Secunia chief security officer, in an interview. "They select certain products that they'll patch, but that isn't always based on the products that we see the most vulnerabilities in."

Accordingly, when it comes to patching, "you need different selection criteria than the most popular software on your network," said Kristensen. But that's exactly how many businesses today approach patching, he said.

Indeed, many patch managers are obsessed with the likes of Microsoft, Adobe, and Oracle, when they should be looking at the bigger picture. Notably, Secunia's research found that, while roughly 2% of Microsoft's products are found to be insecure at any given point, 6% to 12% of third-party software in general will have an exploitable vulnerability at any given moment. If that volume of Microsoft vulnerabilities seems low, it's because the company has been aggressively refining its secure development practices to help prevent bugs from reaching production code.

If organizations should focus on the worst vulnerabilities first, how quickly should those vulnerabilities be remediated? As quickly as possible, of course. That would seem to create a problem with zero-day vulnerabilities, of course, for which no patch yet exists. But according to Kristensen, zero-day vulnerabilities take several weeks to ramp up from targeted threats into mass attacks. Accordingly, most organizations shouldn't worry too much about continuing to use software with zero-day vulnerabilities, provided their vendor releases a patch in a timely manner.

"Companies' primary concern and focus shouldn't be on the zero-days--unless you're the target," he said. "Unless you're a high-profile target, you can probably wait for the patch."

But waiting might be the wrong word. Indeed, Kristensen said he'd like to see customers be more assertive when it comes to demanding that software bugs get fixed. "If you've paid for something, it's your privilege to call them and say, 'Hey I found this information ... I want to know what the patch status is,'" he said.

Black Hat USA 2011 presents a unique opportunity for members of the security industry to gather and discuss the latest in cutting-edge research. It happens July 30-Aug. 4 in Las Vegas. Find out more and register.