Once or twice a year, a major software vulnerability is discovered in an open source software component, affecting millions of software products and millions of websites.
These vulnerabilities are so serious that they make it into traditional newspapers and TV news. The topic lasts a few days and then disappears again. But does that mean the vulnerabilities have disappeared or are no longer relevant? No, of course not. Have the experts fixed them? As a representative of my former company in application security issues, I was invited four weeks after such an occurrence, together with 20 other software suppliers, to give a status of progress to the client, a large bank. The following statistics/drama unfolded before me:
- 30% claimed the problem did not occur with their software, though two of these could not say whether they produced Windows or Unix software.
- 25% of suppliers did not send a representative to the meeting in the first place or did not dial in.
- 20% had apparently heard about vulnerability for the first time in the invitation and were hoping for insights on this in the meeting.
- 15% were still waiting for feedback from the development team. The request would have come too "suddenly".
- 5% complained that they were not responsible for this and that the customer should please contact the hotline if there were problems with the software.
- 5% had proactively sent the customer mitigation instructions after occurrence and a hotfix 2 days later.
Four weeks is a lot of time for the hackers. In the meantime, there were 47 publicly available exploit projects on GitHub alone that even a script kiddie could run to determine from the outside via the URL whether a website is vulnerable.
How many suppliers got it right? A whole five percent?
It takes a strategy to be prepared.
Feel free to visit us at https://www.wobeecon.com.