19 May 2023
I’m certain this has been written about before. I believe it’s worth laying out again. This month I will have covered information security for 17 years. The vulnerability hype cycle has not changed. While I do not have all the answers, I do have confidence in our community that we will continue to work toward change. For now, here’s my tongue-in-cheek description of how so many vulnerabilities are handled today:
- Someone, or a team of people, spends copious amounts of time finding a software bug or a series of bugs. A small subset of those bugs ends up being vulnerabilities. An even smaller subset of those bugs ends up being exploitable.
- An exploit is written, and a disclosure process takes place for a random time.
- The vulnerability gets, potentially a name, a logo, a song, a dance, and a website.
- Everyone starts talking about the vulnerability, especially how bad it is. We throw around terms like “supply chain,” “vulnerability management,” “patching” and “risk” often without enough context or definition.
- Malicious actors begin exploiting the vulnerability to achieve their [goals] (This could happen before any of these steps, including #1).
- Some organizations patch the vulnerability, and some do not. Sometimes the patch works, sometimes, it does not, or additional vulnerabilities are discovered and patched (or not).
- Eventually, everyone forgets about the vulnerability, and X number of systems remain vulnerable forever.