The applications we use every day are essential for our jobs, but they’re also potential points of weakness that businesses must secure. Application vulnerabilities that come from errors or oversights in software code may provide attack vectors that could be used to penetrate an entire infrastructure.
The implications of this kind of breach are serious. The financial costs may be huge, but the reputational damage could be devastating.
That’s why security is big business, and solutions that promise to overcome application vulnerabilities are especially attractive.
But can traditional patch management solutions cope with complex and widespread application vulnerabilities?
Data from Secunia’s 2014 Vulnerability Review shows that application vulnerabilities are everywhere. In 2013, there were 32% more vulnerabilities found in the examined applications, 16.3% of which were described as ‘highly critical’.
Almost 76% of these vulnerabilities affected third-party programs. What that means is that the threat isn’t just large in size – it’s diversely spread across many applications on a network.
For many years, Microsoft programs have reflected the core of the average business setup. But patching Microsoft programs alone protects against just 24% of the total risk posed by vulnerabilities.
One of the toughest tasks for an IT manager is application discovery. Individual machines on a network could be home to third-party applications that are unknown and, as a result, will never be scanned or patched. It is only when all applications are discovered can a conventional patch management solution come into play, applying patches automatically across the whole organisation.
Dealing with application vulnerabilities also means identifying previously unknown weaknesses and reporting them to the application developers, who will go on to create the necessary patch. This is yet another challenge, another element of what would create a full solution for application vulnerabilities.
Patch management is effective, but to meet the real demands on an IT manager, solutions need to go even further.
Lee Morton is an IT distribution support and encryption veteran. He has been supporting the channel since 1998, working his way up from helpdesk support technician to heading the services team. Lee took the lead in encryption training, services and consultancy in 2007 and became the go to technical resource for SafeBoot ahead of its integration into the McAfee product range. A trainer, consultant and support resource for the channel. You can reach him on LinkedIn.