Last December we found out about a new vulnerability in Netgear routers. This is yet another occurrence in a long list of mishaps that can allow attackers to take over networking and security equipment and as a result gain a foothold in our networks and compromise business or personal information.
Vulnerabilities have always been part of the technology industry’s landscape. A vulnerability is a bug, and no one has found a way to create software without bugs. Vendors can tighten up their secure software development cycles to minimize occurrences, and customers need to stay current with software releases of the products they use, despite being short staffed and having more pressing threats and risks to tend to.
So, if vendors will always have bugs and customers are too busy, are we doomed to be exposed to these vulnerabilities forever? The short answer is no – but we will get to that later.
What we are experiencing is an architectural problem that must be solved before the situation can get any better. In the Netgear example we have millions of pieces of equipment across a dozen models that are vulnerable. Each one is its own universe. Hardware, firmware and operating system that were created at the time the device shipped. There is a need to deal with each combination – design, develop and test a patch – and then have customers apply it to the various instances in their environment.
I experienced the pain associated with this process, from the vendor side, first hand. Seven years ago, I worked for a network security appliance vendor that encountered its very first vulnerability. White Hat hackers did pen testing at one of our customers and found a way to bypass security processing. Unfortunately, it was a design bug. It required the R&D organization to develop a fix for every single version of software we had out there. That was a huge effort that impacted development plans for the quarter.
There was a bitter twist to this story – end of life software versions. The need to develop and test updates for appliance software builds no longer in production for many years was a mega project all by itself. Under normal conditions, customers would be required to upgrade their software and potentially their devices – but with a security fix, can you force the customer’s hand? Customers often resist any attempt to “touch” such environments in a way that can cause stability issues. They would prefer to continue to be exposed rather than take the risk.
Ultimately, it was a negative experience for both the vendor and the customers. While customers value the effort to keep products secure and up to date, they all needed to take the time and effort to plan and apply the patch. Others were forced to upgrade and a few declined despite our best communications efforts. As a vendor, we would prefer to see no customers left behind – no matter what risks they were willing to take on.
There was another lesson here. These “dated software” customers also couldn’t benefit from new features. Initially, they avoided patching for stability, but later they couldn’t upgrade because new software builds were starting to rely on stronger underlying hardware. So patch avoidance was also making the rollout of new capabilities, impossible. If a customer don’t patch, they become not only a “headline risk” but also likely to drop you as a vendor as they may have the wrong perception of your capabilities and value.
There is of course a way out. Cloud-based delivery of enterprise security software. A cloud vendor is responsible for maintaining a single code base that serves all customers. It can be upgraded at will as long as the system is backward compatible. The benefits of this model cannot be overstated. Any vulnerability in the system can be centrally closed and new features can be rapidly rolled out and activated either automatically or by the customers. From a vendor standpoint, this accelerates feedback loop into development on the value, impact and usage of new features, which in turn can be quickly converted to new enhancements and features that benefit customers. The future of software is “cloud delivered” – enabling both vendors and customers to achieve better stronger security at a lower cost and leaving the “vulnerability aftermath nightmare” behind.
[su_box title=”About Yishay Yovel” style=”noise” box_color=”#336588″][short_info id=’60593′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.