Sound security policies have always been crucial, but today’s IT leaders are more concerned than ever about the interconnected state of modern business. This rising tide, however, has resulted in misguided panic and a futile attempt to cover all bases, which has resulted in some disastrous incidences.
Many individuals believe there are no alternatives to the annual maintenance “fee” and the continuous application of disruptive software patches. However, this overlooks the nature of today’s security threat landscape. That begins with the recognition that most enterprise software companies are not, and will likely never be security companies. Bug fixes are almost always a glorified (and lucrative) version of faulty code, and ERP vendor-supplied software patches are usually just bug fixes.
Bugs are typically reviewed by software providers to assess their legitimacy and relevance, which can be a time-consuming and tedious process. Vendors should determine all conceivable regions where the affected library or codebase was utilized, as well as the platforms affected and the history of the library or codebase. This is the stage at which vendors may discover that a bug has been there for a long period, perhaps up to 20 or even 30 years. Because it’s very usual to “miss a spot,” the same issue is frequently patched again, even years later.
Get off the hamster wheel of security patches
A fix is ultimately released, and this is when the real issue for businesses begins. Patching is a time-consuming and complicated process, especially for large business platforms where a company’s substantial customizations are likely to break as a result of the unanticipated behavior of the patch. Even if a business has an immediate patching policy (which is extremely rare and more often annual or at most quarterly), it can take up to a year for the patch to be downloaded, installed, and tested throughout the landscape before being deployed.
Customers need to wait for patches to be released, and then perform extensive regression testing, Quality Assurance, end-user testing, and repair the issues that the patches cause for each of database or application instances in the organization. This is all extremely time-consuming, disruptive, unsafe, and costly. Then, when something quite similar appears again, it’s time to revive the hamster wheel all over again, because most software manufacturers only blacklist commands that are regularly bypassed by the next command in the list. Customers are compelled to go through this process hundreds of times.
Vendor patches are complex, and even when they are applied, they are often limited in scope since they only address the issue that was discovered in the wild, rather than the whole weakness.
The bigger picture of security
Not only do modern security solutions target individual vulnerability points, but they also address practically all applicable common weakness enumerations. Modern solutions, for example, reduce SQL injection flaws as a whole, rather than disassembling a single SQL injection issue and focusing on specific syntax vulnerabilities (vendor patch strategy).
Today’s CISOs require more modern and cost-effective security strategies, such as in-memory database protections or real-time self-protection for middleware and applications. They also need other modern techniques that provide far more effective and proactive ways to address the security hygiene of enterprise software stacks-all while reducing downtime and business disruption. Where patching is unrealistic or impossible for the organization, smart CISOs use these technologies as a common control or compensating control, as applicable, to meet or exceed the expectations of the security auditors.
For more such updates follow us on Google News ITsecuritywire News.