Did the headline grab your attention? Good. Now let’s start talking about real patch management. There are lots of IT folk out there who have great patch management practices, but blatantly miss patching for over 80 percent of the vulnerabilities out there. Don’t believe me? Look at this graph.
Our experts at Shavlik looked into the CVE data and the National Vulnerability Database. What they found was the percentage of vulnerabilities existing in applications outside the operating system far exceed those found within it. We compared the data in order to determine whether this was a growing trend. Surprisingly, it was not. You’ll see from the graph that consistently eighty percent (87% in 2014) of vulnerabilities come from third-party applications, and have for the last 15 years.
Now that you’ve seen that the majority of vulnerabilities come from third-party applications, why are you still hung up on not patching them? Most organizations have some pretty stringent standards to update Microsoft OS and Microsoft applications, but miss or ignore many of the most problematic applications. Apple, Adobe, Java, and browser applications all add up to the most dangerous, yet easy to solve, security problem in your organization.
IT teams have some concerns around patching these applications. Many concerns have to do with time, expense, and the pain around reboots for end-users or maintenance windows for the data center. IT struggles to keep up with the burden of adding new application titles and versions. The time and expense to patch is amplified exponentially as you add software titles. The good news is there are products out there like Shavlik that can automate the process. (Now is a good time to check it out)
This next graph shows a general trend of the growing threat. We not only see the growing number of vulnerabilities but also the monumental effort vendors take to provide updates for their software. We were not surprised to find that it was a growing trend, but were definitely surprised to find times of fewer vulnerabilities as applications and OS stabilized. Nevertheless hackers will continue to hack and new versions of software pared with the ever increasing amount of code available will continue to create a growing problem.
With this information, and the growing threat of hackers, you can see that you will need an effective patch management strategy. Make sure your strategy covers the endpoints as well as the servers. Also, make sure that you put an emphasis on application coverage and not just focus on Patch Tuesday.
You are welcome to comment. What other trends do you see with this information?