Security: Getting Off the Patch

Part 1 of 2

Most people are on the patch right now. These patches release a small dose of “security achievement” to last until the next patch is available. That feeling of having done something about security is hard to deny which is why so many people crave it.

Luckily for the patch addicts out there, they’re also a compliance requirement. For those of you who don’t know, a compliance requirement is apparently when a bunch of influential companies can suggest the same bad practice, usually involving some software they sell, which makes it a best practice.

Then, they all donate the time of an employee to help write those best practices into some compliance checklists. Then some money is transferred to Panama. And that, kids, is how a bill becomes a law. I may have missed a step or two but you get the idea.

Anyway, my point is that patches are easy to do, cheap to get, and make people feel good for a little while. But they wear off really quickly, and you’ll need more in no time flat – they’re kind of like the information security equivalent of nasal spray.

Is it Any Wonder Why We Call Patches a “Fix”?

Software companies, those patch dealers, love the patch. It gives them a way to change their code after it’s already been paid for and put on your machine. This way they can provide new features and fix vulnerabilities or, still under the guise of the security update, address their own internal policy issues by removing content you already had, change their corporate strategic models and direction by removing parts of your application to be re-sold back to you as add-ons, or to better track how their software is being used – which turns their customers into (Read more...)

*** This is a Security Bloggers Network syndicated blog from Cylance Blog authored by Pete Herzog. Read the original post at: https://threatmatrix.cylance.com/en_us/home/security-getting-off-the-patch.html