The problem with vulnerability hunting

Many businesses have paid dearly for a lack of attention to patch management. But the flaws are only part of the story.

I've written before about how a lot of time is wasted publicizing vulnerabilities. It's not that I don't think it's important. Indeed it is very important. But a lot of IT shops zero in on it so closely that the big picture is lost.

The topic is back on my mind after editing George Hulme's latest article -- an interview with database security expert David Litchfield.

I've known David a long time and single him out as the guy who taught me much of what I know about database insecurity. So when he says something like this, it's hard not to pay attention:

What is really depressing, for me, is we do all this really cool research into exotic vulnerabilities, developing new attack techniques and finding new classes of vulnerabilities. But at the end of the day, this stuff is irrelevant when eight times out of ten people are leaving default user names and passwords in place. Of what importance, really, is all of this research and attention on exotic vulnerabilities when the basics aren't even being given attention.

He's not the first to point this out. In two different interviews with security experts Jack Daniel and James Arlen I did a couple years ago, this was one of the main themes -- companies investing in all kinds of security only to screw it all up with poor configuration practices and a lack of big-picture thinking.

Patch management is one of those imperfect areas, as suggested a couple years ago in the article "Does patch management need patching?"

Asked what kinds of things are overlooked, Litchfield said:

People are pressured into getting their applications running as quickly as they can. However, when they try to manage permissions properly, that good practice can delay deployment slightly. So they say, "Oh look, let's just give users all the permissions. The application seems to work with these settings. Let's shove that into production." Not a great approach. If you don't want a breach, it's really worth spending the extra time to design an application that operates on least privilege.

As he says, companies don't like being told to slow down their push to deploy a new application. Some shops play up their patch management procedures as evidence that they really do care about security.

You could say it's their way of making themselves feel better.

As I said, vulnerability management is important. The problem with how flaw findings and fixes are mishandled isn't the fault of the vulnerability hunters.

It's the fault of companies that still don't understand the big picture after all these years.

--Bill Brenner


Copyright © 2011 IDG Communications, Inc.

The 10 most powerful cybersecurity companies