Software industry slammed for poor patching practice


Vendors are failing to help IT departments effectively patch vulnerabilities, as 2011 marked another low point for the software industry, according to a security company's report.

Too few vendors are being proactive in promoting patching and easing the burden for IT managers, Thomas Kristensen, chief security officer at Secunia, told IT Pro.

"Vendors in general should improve their communication to customers and the patch distribution mechanism (for consumers that would imply auto updating)," Kristensen said.

His comments came as Secunia's annual patch report found none of the top 20 software providers, including tech giants like Apple, Microsoft and Google, were able to cut the number of flaws in their products over the past five years.

Despite massive security investments by the industry, vulnerabilities are still rising and increasing manifold.

Secunia slammed the software industry for remaining in "static mode."

Vulnerabilities affecting typical end-points more than tripled to over 800. Over three-quarters of these were found in third-party, non-Microsoft programs, debunking the myth that the Redmond giant's products are responsible for many security holes within organisations.

Businesses who choose to only secure the operating system and Microsoft programs leave themselves open to "considerable risk," Secunia warned.

In particular, Kristensen warned over complacency amongst Apple product users.

"Many vulnerabilities are being discovered in products running on Mac OS X and iOS devices. Also there seem to be more exploits being developed for Mac based products," he said. "This combined with the uptake of Mac is likely to cause criminals to start targeting Mac users as well."

Kristensen advised getting the appropriate intelligence about vulnerabilities in relevant programs. Security information and event management (SIEM) technologies can help organisations with this.

He also recommended CIOs "enforce a policy that dictates how frequently/fast security-related updates should be applied."

Users also need to get their act together, Secunia said, as 72 per cent of vulnerabilities had a patch available on the day of disclosure.

In 2011, Secunia found over half of vulnerabilities were rated as "medium", "highly", or "extremely critical," showing many presented a genuine threat.

Over three quarters of flaws in 2011 were exploitable from a remote network.

The worst offenders

Secunia listed the top 20 companies with the most vulnerabilities in their software. Novell came out with the most, as 2011 saw its software affected by 1,113 flaws. Red Hat was in second, with 982.

Most of those two companies' flaws were shared, meaning they affected products of other vendors, Secunia said.

Tom Brewster

Tom Brewster is currently an associate editor at Forbes and an award-winning journalist who covers cyber security, surveillance, and privacy. Starting his career at ITPro as a staff writer and working up to a senior staff writer role, Tom has been covering the tech industry for more than ten years and is considered one of the leading journalists in his specialism.

He is a proud alum of the University of Sheffield where he secured an undergraduate degree in English Literature before undertaking a certification from General Assembly in web development.