GitLab announced the launch of GitLab 18, including AI capabilities natively integrated into the platform and major new innovations across core DevOps, and security and compliance workflows that are available now, with further enhancements planned throughout the year.
Cyberattacks are publicized much more frequently than the hard work security teams put in to stop them. 2017's WannaCry and 2022's Log4Shell were amplified by companies' failures to install readily available patches, causing highly destructive, expensive, and embarrassing consequences for victim organizations.
Most companies provide security patches upon detection of vulnerabilities, but they are not always timely or taken seriously. Patch management involves more than installing patches or code changes in the event of a breach; it's about keeping your finger on the pulse to stay alert to available patches, test them, and document the processes to ensure security, reliability, and compliance.
Whose Job Is It Anyway?
Only your security department can identify vulnerable software, prioritize updates, and deploy patches. While detection can come in the form of email alerts from the affected vendor or the in-house use of vulnerability scanners(link is external), the practice of patch management (including acquiring the patch, testing, and installation) falls in the hands of your IT team.
If the looming threat of data breaches isn't enough to convince you of the importance of patch management, the shadow of a lawsuit should be. Equifax succumbed to the FTC's enormous $700 million fine in 2019, with patch management failures listed on the score sheet. After noticing a vulnerability in its ACIS database, Equifax followed protocol and ordered a patch within 48 hours of detection. Unfortunately, the command slipped through the cracks. Equifax's security team failed to carry out the patch, putting the company under the FTC's spotlight and demonstrating the criticality of effective delegation and ownership.
Perhaps the people with "true" ownership over patch management are your legal department, albeit inadvertently. Although lawyers don't have the technical expertise to verify successful patch management, it's their mess to clean up if anything goes wrong. Cybersecurity regulation and litigation are more stringent than ever, and the changing face of compliance means that fines can peak at €20 million or 4% of annual global turnover (whichever is greater) for infringements in the EU. In the US, federal and state limits are rising ever higher. For example, the Department of Health and Human Services (HHS) dishes out HIPAA (Health Insurance Portability and Accountability Act) fines of up to $50,000 per violation.
Critical Limitations of Patch Management
Let's review the limitations of patch management and how you can, well, patch things over.
1. Prioritization
It's a universal fact that critical vulnerabilities must be addressed quickly, but that doesn't mean they carry equal weight. Cyber threats are never-ending; new exploits are discovered daily, and IT teams receive a torrent of time-consuming updates that affect workflows and cause alert fatigue.
It's impossible to sift through every notification manually, leading to a dissipation of responsibility (as we saw in the Equifax case) and a lack of clarity regarding prioritization. Automated patch management solutions can do the heavy lifting for you. Otherwise, to wade through the prioritization tasks, you can take a risk-based strategy based on the following categories:
■ Classification: What type of vulnerability is it?
■ Asset information: Identify all assets. For each, define who is responsible for it, its role in your organization, and its worth.
■ Severity: Using the Common Vulnerability Scoring System (CVSS) to rate the severity of the vulnerability from 1-10.
■ Exploitability: How likely is it that an attacker will exploit this vulnerability?
■ Impact: What consequences will this vulnerability have in terms of a data breach, financial loss, or system downtime?
2. The Cut-Off Point
You can't patch what you can't see, and this problem is two-fold for enterprises. Firstly, some legacy systems and software no longer receive vendor-supplied fixes. For example, as of January 2023, Microsoft stopped patching Windows 7, Windows 8 (and 8.1), and Windows Server 2008 R2, leaving the door wide open for security risks.
Secondly, enterprise patch management is a web of complexity. Amongst legacy devices (of which some will be patch-less), your employees will likely use a range of company-issued and personal devices to access workplace data, including modern PCs, smartphones, and IoT devices. Unfortunately, keeping tabs on them all is incredibly difficult, as is remote patching in the work-from-home era. IT teams are limited to chasing colleagues and encouraging them to hit the "restart PC" button. Moreover, the risk of service downtime triggers employees to ask for exceptions and ignore auto-updates.
For this reason, automated patch management solutions must limit disruption, address exemptions, and offer IT teams the necessary flexibility, such as accounting for time zones in the deployment schedule.
3. Zero-Day Vulnerabilities
The patch management playing field is known vulnerabilities, which means your organization remains open to zero-day attacks that have yet to be publicly disclosed. Even if you patch every known vulnerability promptly, you can't guarantee protection against zero-day exploits.
Establishing a zero trust framework is an effective strategy for addressing zero-day exploits, as it assumes the hacker already has access to your network. However, most patch management solutions don't enforce access management policies, so your best bet is to pair patch management with IAM to limit attackers' lateral movements.
Automate to Accelerate Patch Management
Ultimately, all roads point to end-to-end patch management automation as the most efficient and fast method of implementing patch management policies, determining patch windows, and applying fixes. When there are thousands of vulnerabilities to address daily, it's time to cut out the manual efforts.
Industry News
Perforce Software is partnering with Siemens Digital Industries Software to transform how smart, connected products are designed and developed.
Reply launched Silicon Shoring, a new software delivery model powered by Artificial Intelligence.
CIQ announced the tech preview launch of Rocky Linux from CIQ for AI (RLC-AI), an operating system engineered and optimized for artificial intelligence workloads.
The Linux Foundation, the nonprofit organization enabling mass innovation through open source, announced the launch of the Cybersecurity Skills Framework, a global reference guide that helps organizations identify and address critical cybersecurity competencies across a broad range of IT job families; extending beyond cybersecurity specialists.
CodeRabbit is now available on the Visual Studio Code editor.
The integration brings CodeRabbit’s AI code reviews directly into Cursor, Windsurf, and VS Code at the earliest stages of software development—inside the code editor itself—at no cost to the developers.
Chainguard announced Chainguard Libraries for Python, an index of malware-resistant Python dependencies built securely from source on SLSA L2 infrastructure.
Sysdig announced the donation of Stratoshark, the company’s open source cloud forensics tool, to the Wireshark Foundation.
Pegasystems unveiled Pega Predictable AI™ Agents that give enterprises extraordinary control and visibility as they design and deploy AI-optimized processes.
Kong announced the introduction of the Kong Event Gateway as a part of their unified API platform.
Azul and Moderne announced a technical partnership to help Java development teams identify, remove and refactor unused and dead code to improve productivity and dramatically accelerate modernization initiatives.
Parasoft has added Agentic AI capabilities to SOAtest, featuring API test planning and creation.
Zerve unveiled a multi-agent system engineered specifically for enterprise-grade data and AI development.
LambdaTest, a unified agentic AI and cloud engineering platform, has announced its partnership with MacStadium(link is external), the industry-leading private Mac cloud provider enabling enterprise macOS workloads, to accelerate its AI-native software testing by leveraging Apple Silicon.
Tricentis announced a new capability that injects Tricentis’ AI-driven testing intelligence into SAP’s integrated toolchain, part of RISE with SAP methodology.