Eric Helmer, Chief Technology Officer, Rimini StreetBlog

The InfoSec Clock is Ticking: Why enterprise users can’t wait for patch updates

By Eric Helmer, Chief Technology Officer, Rimini Street

Sound security policies have always been important but with the interconnected state of modern business, IT leaders are concerned more than ever before. However, this rising tide has also led to misguided panic and a doomed bid to cover all bases with some unfortunate by-products.

Many think there are no alternatives to the carousel of paying the annual maintenance “tax” and applying continuous disruptive software patches. But this ignores the nature of the modern security threatscape and that starts with the realization that most enterprise software companies are not security companies and likely never will be. ERP vendor-supplied software patches are usually simply bug fixes and bug fixing is almost always a glorified (and lucrative) form of bad code Whac-A-Mole.

Rimini Street survey finds CFOs prioritize digital transformation investments
Managing uncertainty: A CIO’s framework for IT prioritization

Can you wait so long for a security patch?

Typically, software vendors review bugs to determine their validity and significance, which can be an arduous and lengthy process. Vendors must identify all of the possible areas where the affected library or codebase was used, what platforms are affected, and its history. This is the point where vendors may figure out that a bug has existed for quite some time, often up to 20 or even 30 years. In fact, many times the same issue is patched again even years after as it’s very common to “miss a spot.”

Get off the security patching hamster wheel

But eventually, a patch is released, and this is where the true pain begins for organizations. Patching is typically a very lengthy and convoluted process, especially for large enterprise platforms where a company’s extensive customizations are likely to break due to some of the unexpected by-products of that patch’s behavior. Even if a company has a policy of immediate patching (which is very rare and more likely annual or at best monthly), it can easily be a year before the patch is downloaded, installed, tested through the landscape, and eventually put into production. Customers must wait for the patches to be released, perform rigorous regression testing, run Quality Assurance, do end-user testing, and repair the things the patches break multiplied by every single database or application instance in the company. This is all massively time-consuming, risky, disruptive, and expensive. Oh, and then when something very similar pops up again, it’s time to revive the entire hamster wheel all over again, because software vendors are commonly only blacklisting commands, which are frequently bypassed by the next command in the list, and customers are forced to repeat this cycle hundreds of times over.

For example, the Apache Struts vulnerability that led to the Equifax breach was due to an Insecure Deserialization flaw (CWE-502, one of many further CWE:20, Improper Input Validation flaws) heavily prevalent in most applications today. And THE patch that was released to address the issue still doesn’t solve the weakness of either CWE-502 or CWE-20, it only addresses the one exposure (CVE-2017-5638), around the same time, another patch was released to address the same type of weakness (CVE-2017-9805). This is why there have been hundreds of patches released to address Insecure Deserialization most of which are bypassed time and time again. Beyond the things that have been patched, think of the big headline security cases over the years: Marriott, Target, AdultFriendFinder, eBay… not one was solved by a vendor patch. These companies and others are more likely to have been undone by inattention to weak configurations, insider threats, lax admin actions, unenforced policies, and the like. These modern threat landscapes are causing ERP customers to question if they are really safe relying on vendor patches for their security policies.

The simple fact is that vendor patches are complex and even when applied, they tend to be limited in scope because they only address the issue that was discovered in the wild, and do not address the weakness as a whole.

There must be (and there is) a better way….

The bigger security picture

Modern security solutions address almost all of the applicable common weakness enumerations, and not just individual exposure points. For example, instead of dismantling a single SQL injection issue and keying on individual syntax vulnerabilities (vendor patch strategy), modern solutions mitigate SQL injection weaknesses as a whole.

Today, CISOs require modern and more cost-effective security strategies such as In-memory database protections, or real-time self-protection for middleware and applications, and other modern techniques that offer far more effective and proactive ways to address the security hygiene of enterprise software stacks, all with massive reductions in downtime and business disruption. The smartest CISOs leverage the use of these technologies as a common control or compensating control as applicable to meet or exceed security auditors’ expectations where patching is just too impractical or even not possible for the business.

As CTO, Helmer drives the company’s Office of the CTO, created to accelerate innovation that provides clients with unique solutions to maximize the effectiveness of their mission-critical enterprise software systems. Helmer has a broad range of experience providing a range of integrated technology services to support CIOs. He previously led Rimini Street’s Strategic Services Group, and prior to that, he served as a vice president at Velocity Technology Solutions where he led the application services team in delivering transformational cloud and IT solutions for Oracle enterprises.