Vulnerability Fix Time Horizon
I’m going to first point you to this tweet, because it’s the basis for this short post: https://twitter.com/Wh1t3Rabbit/status/1466161788035026950
So I’ve been thinking since I wrote this re-tweet. At first it was my typical snark and meant to be a bit funny. But the longer I think about it, the more it weighs on my mind.
Having worked in a “very large software organization” that has had some security bugs in their code, it is interesting to ask the question “At what point does the benefit of the patch reach near-zero?”
I find this an interesting question for a number of reasons but mainly it deals with risk management where systems are allowed to persist (or require to persist) in an unpatched state because two conditions are true:
- the vendor has not provided a patch, and
- the owner requires this specific system/configuration to exist.
Let’s take a made-up hypothetical situation, as follows. Your company buys a very large storage array. That array is used for some critical business process like storing your customer data for analysis and such — critical to business function. Suddenly a vulnerability is discovered that basically is the equivalent of a hard-coded clear-text administrative credential in the system. Your security team recognizes the issue as critical, and preps the organization for the inevitable patch. But, sadly, the patch comes but very late. Say 5 month, or 5 years later.
You have a critical flaw, exploitable, in a system that’s critical to business process. In this industry we joke about everything aging in the equivalent of dog years, so what does a patch that is very, very, very late to the game do for your risk formula?
I made the statement in that tweet that at 8 years, is the patch even relevant anymore? Many, if not most, users of the system would have moved on and upgraded or retired a system in 8 years. Probably. But there are those pieces of tech that have longer lifespans, and are possibly still around. Whether it’s a printer, a storage array, or an application — some of these things live long lives in tech.
So think about it — is there a point on the time horizon at which you say “Well, you may as well not fix that at all.”? How does something like a missing critical patch with a very long unfixable window impact your calculation on technical debt and IT risk?
I’m curious on your thoughts, as you read this post.