We’ve covered how patching begins with discovery, finding the non-Microsoft applications across your network. We’ve looked at how you can apply patches intelligently, starting with the most dangerous vulnerabilities.
But before you start comparing products that can help you patch vulnerabilities, there’s a simple question to be answered. Why bother?
Why do you need to spend time and money protecting against application vulnerabilities? And why do those third-party applications present the most complex – and critical – threat of all?
Fundamentally, third-party applications present a widespread risk because they’re in widespread use. From web browsers and other utilities to sector-specific software, there are thousands of non-Microsoft applications in use every single day.
These applications come from many different vendors, with varied levels of testing and quality assurance. So it is significantly more likely that, across all those applications, critical vulnerabilities will appear.
While Microsoft applications aren’t immune from vulnerabilities attackers can exploit, Microsoft enforces a regular update schedule.
Patches, many of which eliminate vulnerabilities, are delivered in a centralised, automated fashion. There’s no need to check individual installations or the separate components of a suite like Microsoft Office. Instead, you are automatically notified of new updates and prompted to install them from a single screen.
Third-party applications don’t come with that centralised update process. Patching them is time-consuming, hands-on, and a source of great frustration. So their vulnerabilities remain unpatched for prolonged periods of time – long enough for attackers to exploit them.
As we talked about in our recent post, Patching Microsoft OS and Applications Isn’t Enough, attackers understand that your Microsoft software is more likely to be up-to-date than products from third-party vendors.
Meanwhile, in the absence of Microsoft’s extensive budget for in-house security testing, your third-party applications are more likely to be vulnerable. According to the Secunia Vulnerability Review 2014, 76% of the vulnerabilities discovered in 2013 appeared in third-party software.
As a result, attackers focus their attention on exploiting those vulnerabilities. Your third-party applications are the first place an attackers looks for a weakness. And they’re where a weakness is most likely to be found.
There’s no doubt that third-party application vulnerabilities present a very real risk to any organisation. There’s no denying the fact that we should all be taking responsibility for those applications, uncovering and mitigating vulnerabilities as a matter of priority.
But it’s really hard work. That’s why people find themselves asking if it’s really necessary.