As of the end of November, the National Vulnerability Database (NVD) had reported more than 7,300 vulnerabilities for 2014. That's the largest number of vulnerabilities ever reported in one calendar year -- and there are still more than a few days left in 2014. By the end of December, there is a strong likelihood that the total number of vulnerabilities will surpass 8,000.
This record number represents 8,000 reasons to improve the overall quality of software through better development and secure coding practices from the outset. Sure, patching helps by bolting on security after the fact, but patching only can go so far. It becomes nearly impossible for organizations to patch anywhere near 100% when you take into account zero-day vulnerabilities, manual patching, ineffective patch management solutions, the inability to patch critical systems that can't be taken offline, and other factors that impact the operations of IT system environments from heterogeneous environments all the way to the emerging new world called the "Internet of Things."
If not patching, then what?
What we need is a more proactive, modern approach to protecting IT systems. Patching or patch management has become an outdated approach for securing systems. It's outdated because the software ecosystem has evolved, and patching doesn't scale well enough to address the ubiquitous and heterogeneous nature of software. The size and complexity of software also introduces the likelihood for more vulnerabilities, which causes organizations to lose control of their software and IT systems. Unfortunately, you can't patch what you can't manage or control.
Software assurance, then, becomes a key component in proactive approaches to protecting IT systems. Software assurance provides a degree of confidence that software is free from weaknesses that can be exploitable. From a software assurance perspective, secure coding and development are viable and realistic options to address the gaps that exist with patching or patch management solutions. Secure coding and development becomes our first line of defense in securing IT systems, no matter where that system resides. Secure coding and development helps reduce the attack surface and the ways in which systems can be exploited.
The focus should shift from hunting down common vulnerability exposures (CVEs) to pinpointing common weaknesses enumerations (CWEs) that could be exploitable. The emphasis here is to rely less on patching and patch management and more on secure coding and development. The long-term net effect will not only help reduce the number of vulnerabilities over a period of time, but it will also help reduce the cost of software failures by identifying and uncovering software weaknesses early in the development process. Studies have shown that, when weaknesses are found later in the lifecycle (post-release, maintenance phases), the cost significantly increases to fix, mitigate, or remediate that weakness.
It should be noted that I'm not advocating abandoning patching strategies. However, I am encouraging organizations to put a greater emphasis on developing better quality software. This will require some organizations to formalize software assurance strategies to ensure that security is addressed early and often in the software development process.
Investing in research and development will also be needed to advance the quality of software analysis tools and technologies that developers feel confident in using. Improvements in software analysis tools in area of coverage (weakness classes and programming languages), precision and soundness, and synergies with continuous integration and software lifecycle management tools will help guide developers and improve the fidelity of software analysis capabilities.