Written By: Chet Hayes

In March of 2017, CVE-2017-5638 was publicly announced which disclosed a vulnerability in the Apache Struts framework. Approximately 2 months later Equifax was breached by hackers and over 200,000 credit cards were stolen.  More recently, Log4Shell was discovered in the popular and widespread open-source library Log4j. Researchers and cybersecurity providers quickly detected hundreds of thousands of attacks using the disclosed vulnerability in Log4j.   

In both cases, organizations needed to apply patches and updates to address the vulnerabilities.

Patching is the process of applying software updates to programs or applications to fix vulnerabilities, add new features, or improve performance. A software patch can be applied to either the source code or executable code of a program. Patching is a critical component of cybersecurity for both individual users and organizations. Cybercriminals are constantly looking for new vulnerabilities to exploit, and good patch management is one of the best ways to address these vulnerabilities before they can be exploited.

So how does an organization put in place good patch management?

First, you must assume that any complex software has some sort of flaw. While this is an interesting topic in and of itself, organizations should have a security policy in place that is built around the assumption that flaws exist.

Second, an organization needs to understand what software products are used within their organization, and what supporting libraries and frameworks make up that product. Having a software bill of materials (SBOM) will help make this easier.

Third, Your DevSecOps pipeline or patch management process should enable a rapid release of a security fix. Organizations should be thinking about rollout times in terms of minutes/hours and not days/weeks.

Fourth, A good continual monitoring program is crucial to identifying unusual access patterns and behaviors that are indications of something nefarious.

There will always be the next vulnerability. But organizations that understand what is in their organization (think SBOM), assume that flaws exist, continually monitor for unusual behavior and access patterns, and have a process in place to rapidly deploy patches will be ahead of the curve in protecting their cyber infrastructure.