Discussion · bonfire.cafe

"As a perhaps amusing aside, if everyone were to follow our suggested delay practice, it would become much less effective. Fortunately, we have no expectation that everyone will listen to us."

Unpopular opinion: more people should follow this advice.

Unfortunately, many feel they have no choice but to deploy patches with a "security fix" label on them more quickly than they normally would make changes to complex systems.

@smb @adamshostack

#CVE #InfoSec
https://shostack.org/files/papers/time-to-patch-usenix-lisa02.pdf

Matt "msw" Wilson

@msw@mstdn.social replied · last week

Indeed, this strategy is more effective when bravehearts deploy changes with ambition and report real-world problems, as we know that it is difficult to exhaustively test a change to the point of eliminating all possible new defective behaviors.

@smb @adamshostack

Matt "msw" Wilson

@msw@mstdn.social replied · last week

While many things have not changed since this paper was published in 2002, the landscape around #CVE and open source software has, in my opinion.

This paper mainly contemplates official patches and bulletins from commercial vendors, or at least a CVE that was reviewed by a panel of editors. It rightly calls out that the quality of fixes varies widely.

However, today a CVE in a FOSS package may mean little to nothing in context of a production product or system.
#FOSS
@smb @adamshostack

Matt "msw" Wilson

@msw@mstdn.social replied · last week

I definitely recommend folks read the paper linked in the first post. Here's a TL;DR summary in the form of Figure 1: " "A hypothetical graph of risks of loss from penetration and from application of a bad patch. The optimal time to apply a patch is where the risk lines cross."

#CVE #OSS #FOSS #FLOSS #OpenSource #FreeSoftware #InfoSec

@smb @adamshostack

A graph showing Time along the X axis and Risk of Loss along the Y axis. Two curves are on the graph, one is the "bad patch risk" which decreases over time, and the other is "penetration risk" which increases over time. Where the two lines cross, a circle is drawn representing "Optimal Time to Patch".

Caption: "Figure 1: A hypothetical graph of risks of loss from penetration and from application of a bad patch. The optimal time to apply a patch is where the risk lines cross." — A graph showing Time along the X axis and Risk of Loss along the Y axis. Two curves are on the graph, one is the "bad patch risk" which decreases over time, and the other is "penetration risk" which increases over time. Where the two lines cross, a circle is drawn representing "Optimal Time to Patch". Caption: "Figure 1: A hypothetical graph of risks of loss from penetration and from application of a bad patch. The optimal time to apply a patch is where the risk lines cross."

Matt "msw" Wilson

@msw@mstdn.social replied · last week

@smb @adamshostack

Folks who like that paper may light this one as well.

It studies Microsoft "Patch Tuesday" updates in particular, which are much different (in my opinion) than your typical open source software updates that are labeled with a CVE.

#CVE #PatchTuesday #InfoSec

https://arxiv.org/abs/2307.03609

bonfire.cafe

A space for Bonfire maintainers and contributors to communicate

bonfire.cafe: About · Code of conduct · Privacy · Users · Instances

Bonfire social · 1.0.0-rc.2.11 no JS en

Automatic federation enabled