Incoming: tiny or possibly not-so-tiny security rant about vuln + dependency management
Alright, so, real talk: many of us who are trying to live our best security lives run on a handful of pretty serious mantras-- that Bruce Schneider quote about security being a process and not a product is one of the big ones.
The backbone of many early iterations of security process is usually some form of a spreadsheet. It's essential to take stock of what your software is made out of, and you have to take stock of what software you're using to make software + run a business.
(Side note: I've worked in a library and a museum before. And I f*cking love these spreadsheets so much. Don't @ me)
I've worked on many, many of these process backbone spreadsheets, but there are a few that have really gotten under my skin lately: vulnerability management, and dependency management.
They're kind of a big deal, but a quick scan of two important columns = instant rage.
They're kind of a big deal, but a quick scan of two important columns = instant rage.
One of the most important columns in the vuln/dependency management spreadsheet is the one for security advisories-- it's partner in importance is the column for security pages attached to products/packages/software.
Real talk: these are the most infuriating columns ever.
Real talk: these are the most infuriating columns ever.
Every time I open one of these spreadsheets cataloging software and software parts, the Security column pair is such a freaking disappointment. For way too many things in use in technology, "None" and "None" fill the sec advisory + sec page columns.
THIS IS NOT OKAY
THIS IS NOT OKAY
Vuln management and dependency management are extra super intertwined with a process that infosec folks love to argue about ad nauseam: patch management. Some of us are on the "patching is hard and not always feasible" side, others argue "what kind of idiot doesn't patch?"
Back to my spreadsheet though, because for real, there is a big old mess going on here...
When I scan through software parts and see that there's no security advisory page, no security page, and that instead a well-meaning security person has to bookmark changelogs, sign up for mailing lists, and learn to read smoke signals to get security updates, I am mad as hell 🔥
Yes, security bugs won't come marching in through the front door in a perfectly orderly fashion... but we should be able to come up with a functional, timely way for security alerts to come to us.
If we can't get alerts, how the hell can any of us patch?!
If we can't get alerts, how the hell can any of us patch?!
Nothing screams "dysfunctional relationship" and "awful communication" to me more than the widespread lack of /security pages across every kind of software part imaginable-- free-range, open source code and enterprise fanciness alike.
Yes, services and tooling exist to backport patches to common/popular distros of software. But not every organization can afford that (security poverty lines are real) and many developers aren't interested-- they want to use the newest + coolest features, tech, and code
This is an incredibly difficult problem to solve, and it is one that many fancy organizations spend quite a bit of money trying to solve or improve. But what about the rest of us? Shouldn't/couldn't we have more than a million mailing lists and groups to join for info?
It would be so cool if there were a reliable way to disseminate security updates and patch info in a timely manner to *everyone* without needing to sign up for a million groups and lists.
We're not going to increase time-to-patch metrics without it. So maybe let's get to work?
We're not going to increase time-to-patch metrics without it. So maybe let's get to work?
Honestly, at this rate, most of us would spend like 5 years and way too much money on vendors + resources to try and figure out how to automate security alert delivery across this crazy patchwork of information distribution. And we'd fail. Ain't nobody got time for that!
So yes, I am all "omg how can we make patching/dep + vuln mgmt work better, this is way too much crazy to expect everyone to do?!" ... but for real:
What tiny improvements can we start with that have a big impact? How do we get software folks flying in formation in fix mode?
What tiny improvements can we start with that have a big impact? How do we get software folks flying in formation in fix mode?
The way we distribute security advisories and patch update information is fragmented af and it seems to be setting almost any well-meaning security team/person up for total failure. How do we improve the process for everyone, and not just people with budget for vendor tools?
Every dang time I see a "NO" in the security advisories/security page/ RSS feed column, it feels like the universe is all 👿 and honestly... how the hell do any of us have any hope in empowering developers + building safe and secure things with this as the status quo?
/rant
/rant
Yes, hello, someone is arguing at me and now I have more things to say.
Fixing broken security advisories/updates isn't a silver bullet. Coding is very much creation and speech, and to move the needle in the right direction, we need to look at current obstacles + think critically about how to foster core security values among devs across the planet
It would be so cool if we could come up with a handful of clear, direct, concise ways to deliver information that doesn't require quilting a nearly-impossible set of patch info updates into a process. There are good reasons for this.
So many people in this world learning to develop and learning to write code are not from the US, will never approach creating software through our policy, and may not even have a full formal education. How do we make this better to give them some hope of success?
"You never went to a top tier school to learn how to write secure code so you can't write code" isn't an answer here, not when so few top tier schools even appropriately teach secure development + dep/vuln management correctly to begin with.
So many words have been spilled about things being secure-by-default, but maybe that term should expand to include getting security advisories without an Odyssey-like journey for info. And it should work for people who build stuff outside of the US, too.
/fin
/fin
