Security Wars : Patch Management Vs Reverse Engineering

Do we know that more than 90 percent of vulnerabilities are exploited after they have been disclosed for more than a year.  Or, even worse, they are exploited even after months of release of their security patches.

How sensible are we as an organization or rather, I would say  a fractioned group of Security Governance and Security management ?

I am talking all this because the reality is security patches can be reverse engineered to create exploit for the same vulnerability.

Quoting from an old Bruce Schneier blog

"Attackers can simply wait for a patch to be released, use these techniques, and with reasonable chance, produce a working exploit within seconds"

-------

And now let me talk about real corporate scenario of which I have been part of many times ….

"Yogi, you want to patch a server. Not a problem, go to Change Management"

And my first thought "Yogi, your server will be compromised again"

And then, what it always happens to people like me. I filled up the form for change management.

First comes the change management process. And it will, of course, take some weeks now. Reasons are obvious.

1) Change form was not complete.

2) Risk assessment part was not filled

3) Our CAB meeting happens once a week.

4) No, you cannot put this as an emergency change as there is no loss of business.

5) Change Manager was on leave on the date of CAB meeting … ha ha

And this just goes on and on …

I just want to put across one point. Above was just an example of path we in a corporate often takes.

Now, my bullet point is :

We as a security community and corporate management are a confused blend of experienced Industry experts, who are just making standards and frameworks and processes but are never getting enough common platform to let all this melt together into a single matured and a secured world.

But, in all this, I do not know how many systems are getting compromised but certainly the quality of security has been compromised.