Crowdpatching

Mitja KolsekJun 6, 2016

Let me count the ways in which today's fixing of critical vulnerabilities just doesn't work:

  1. There are very few software vendors with an established process for collecting vulnerability data and issuing regular security updates.

  2. Most software products don't get any "out of band" security updates in response to detected exploitation; instead, known vulnerabilities are fixed in scheduled new releases, while attackers are having a ball.

  3. Most software includes 3rd party components: when a vulnerability is found in such components (e.g., OpenSSL) and instantly affects hundreds or thousands of products, it is extremely difficult to fix all affected products.

  4. A growing number of security researchers are looking for vulnerabilities in all sorts of software every day. Fuzzing, testing, tinkering, manually and with tools. More and more vulnerabilities are being found per day and the software industry is unprepared to address this problem.

  5. When an official security update is made available to users, it is not just a matter of clicking "Yes" and having it installed - not in a large network anyway. Because updates have broken computers in the past, admins are typically 


- Vendors: We want to create secure software and don't want to put our users at risk. However, we're already operating near our capacity to bring you new and better stuff, and vulnerabilities randomly appearing in our pipeline can't be immediately served (plus testing takes a lot of effort so we'd rather combine several issues in a single update.). Our agreement with users doesn't include getting paid for servicing (fixing) our products, which doesn't really help vulnerability fixing get a high priority. The reality of the market is that if we don't focus on things that make money, we won't be around tomorrow.

- Enterprises: we want quick fixes for critical vulnerabilities in all software. We don't want to have a different process for every vendor. We don't want to have some software patched and some not. We don't want to pay extra to each vendor for their security updates, but we may be willing to pay a reasonable fee to have overall security patching covered. We don't want security fixes to break our production, and we don't want to delay patching for months for fear of breakage.

- IoT vendors: We need to be the first to market to ride the IoT wave. The market will not reward us for taking extra care of security in our "smart pencil" if that means we'll start shipping when everyone already has a smart pencil.

Corollary: it doesn't pay to make secure software (case in point: insecure security software).

-  Bad security is hard for an average buyer to notice: the market therefore does not  punish bad security (which is, btw, why we should admire the efforts of those vendors who actively invest in security).

- Security researchers: once a vulnerability is found, there are these options (from slides).