When you think of securing application vulnerabilities, you’re talking about keeping up with new patching. Staying one step ahead of the attackers by patching new application vulnerabilities before they can be exploited.
But there’s a problem. All this is wrapped up in the vocabulary of newness. We spend so much time talking about a fast response to the latest risks that we forget the other part of security – the older vulnerabilities that remain.
Newly discovered application vulnerabilities are a serious issue. But they’re not the entire issue. While you’re looking at what’s happening right now, you also need to keep your attention on the weaknesses that are months – or even years – old.
It’s easy to focus your attention on the very latest versions of applications. After all, they’re probably the ones that are most widely used in your organisation. They’re the applications you know about, the ones you watch carefully, and the ones whose vulnerabilities you may hear about.
As a result, it’s easier to discover application vulnerabilities and apply the appropriate patches. In theory. Of course, the reality is that it’s time-consuming and resource-intensive to keep up with these vulnerabilities, let alone package and deploy patches.
The right software makes things easier and more efficient, with automation to help you prioritise and deploy patches across your entire infrastructure. But, even without the best tools, new vulnerabilities could come to your attention.
Older application versions and their vulnerabilities are old news, so there’s less to grab your attention. You won’t see a news story covering a vulnerability that’s months old. In many cases, you might be unaware exactly which version of an application still exists on your network.
It’s easy to leave these old application vulnerabilities unpatched. Unfortunately, they pose a threat that’s just as serious as their newer counterparts.
Application vulnerabilities don’t breach your security. Attackers do. And to effectively exploit vulnerabilities, attackers need time.
The longer a vulnerability remains unpatched, the more time an attacker has to find the best way to exploit it. What begins as a low criticality vulnerability could turn into a more significant threat over a prolonged period of time, as attackers discover new methods of attack.
Every moment that an application vulnerability goes unpatched is an opportunity for it to be exploited. And the issue isn’t a lack of patches.
According to the Flexera Vulnerability Review 2017, 82 per cent of vulnerabilities had patches available on the day of disclosure.
If you knew you had an unpatched vulnerability, you’d patch it. So why do old application vulnerabilities persist?
In some cases, IT teams don’t know that old, outdated versions of applications exist on the network.
In other instances, IT teams don’t know that a vulnerability exists, or how to go about patching it
And sometimes, it’s just a case of workload and available time. It’s simply easier to focus on new vulnerabilities than it is to track down old ones.