“I’ve been in this game for a long time,” security expert Dave Aitel said, prefacing a counter-intuitive argument that patching vulnerable software is useless. Patching, he said, “makes you feel good, it makes the vendor look good, it satisfies the insurance companies that you’re doing due diligence — but it’s not overly useful.”
Aitel was taking the one side of the debate staged at “Hack at the Harbor” a freewheeling online conference held in April.
At first glance, patching vulnerable software that others would allow attackers to gain entry into a system would seem to be a good idea. As the event show notes asserted, “Some say if you can do one thing and only one thing, that thing should be to patch patch patch, and invest in patch management solutions.”
But “others say it’s not nearly as useful as people think,” the program also noted.
In agreement that patching isn’t useless was Phillip Wylie, manager/tech evangelist at cybersecurity company CyCognito. Previously he was a senior cloud penetration tester at U.S. Bank, with a long history of similar cybersecurity positions with major banks and telecommunication companies. Wylie is also the co-author of The Pentester BluePrint: Starting a Career as an Ethical Hacker — so with all that, he entered the debate with a healthy helping of real-world expertise.
But Aitel has had his own long and storied history in cybersecurity. A 2005 profile in the Sydney Morning Herald noted Aitel worked at the U.S. National Security Agency when he was 18 years old as a computer scientist on a scholarship.
Aitel then joined a security firm (later bought by Symantec), and then founded his own New York-based security firm, Immunity, according to the Herald. Aitel’s now a partner at the information security research and engineering company Cordyceps Systems, leading a machine learning/data science team. And Aitel has also co-authored a security book: The Hacker’s Handbook: The Strategy Behind Breaking into and Defending Networks
And so began the great debate…
Is Patching Poisoning Us?
To make the case against patching, Aitel cites VPN vulnerabilities discovered in 2021. Besides patching, Aitel argues a full re-install of affected VPN devices would’ve been necessary to remove any dangerous access-granting rootkits that were already left behind — reinstalls, he quips, “which we know none of you did.” And what about any passwords or keys that were already purloined away?
“Patching that device — and putting it back online — gave you an extreme sense of false security,” he said.
Having outlined this scenario, Aitel then mocked the Orwellian nature of the phrase “vulnerability management” saying that as an actual concept, it’s false. “It’s fooled us into thinking there’s a window of vulnerability, and that if an attacker hasn’t been able to exploit us during that window, we are okay.”
Instead Aitel recommended that insufficiently-secured devices and systems be placed in a kind of “penalty box” — uninstalled and removed from an exploitable position. “What a vulnerability should tell you is that a very particular piece of software is not strong enough to be exposed.” But it soon became clear that Aitle was taking his critique even further. “I’d like to say that patching is mostly harmless — but it’s really not. Our reliance on patching as a security tool has poisoned us…”
“Are there any number of patches to a given PHP content management server that would let you feel that the vulnerabilities it exposes now are okay for you? For your internet-facing server? For customer data? There shouldn’t be!” Citing other concerns about Outlook Web Access, Aitel criticized “The message that Microsoft’s shareholders want you to believe: that once it’s patched, it’s secure again.”
Later Aitel made the point more emphatically, calling it “unfortunate that we’ve fallen into this idea that we’re all helpless, and that only Microsoft can give us the manna from heaven that will secure our systems” — especially in a world with other mitigations (including 0patch‘s speedy “micropatching” service). In fact, security researcher Maddie Stone noted that one out of every four zero-days in 2020 “could potentially have been avoided if a more thorough investigation and patching effort were explored.”
“In other words,” Aitel argued, “patching is just alerting attackers about bad code. And it should alert you as well.
“The only way to win is by choosing the right platforms. Don’t use PHP — just say no. Don’t use Microsoft Exchange. Choose security over patching.”
When Patches Aren’t Useless
Phillip Wylie’s own opening statement began with a story about a penetration test he’d performed which discovered a low-risk bug. During a second test 90 days later that same bug had remained unpatched — and the bug had since become much more exploitable. “Someone could’ve exploited that vulnerability to actually breach their enterprise! And the vulnerability was patch-related — it was fixed with a patch.”
That alone makes the case for patching, Wylie seemed to argue. He agreed that you shouldn’t depend on patches to solve everything — “It’s part of an overall program. You need to make sure that you’re using firewalls, endpoint protection… So just kind of a layered approach. But I definitely think by patching systems, you’re ruling out some level of attacker.” It’s always better to present a less-attractive target than other targets on the net, Wylie believes, “and patches are part of it…”
“Even with some of the best security, you may not be able to prevent a nation-state attack — but the more people you’re able to rule out, the better.”
Wylie sees a much simpler problem: those companies that don’t patch vulnerabilities once they’re made aware of them. “Sometimes people take security as a checkbox for compliance and are really not concerned with the security! And I think that needs to change.”
But of course, to say that is to say that your faith in patching remains unshaken…
Tilting at Windmills
As the two speakers interacted, the online audience wondered which position would prevail.
Aitel pointed out the huge volume of patching required these days — especially for a larger enterprise with a variety of systems. “This has made an entire career field out of vulnerability management,” Aitel said, complaining wryly that “It’s as if you put on your CV that you were a professional at tilting at windmills. We know the job is never done, and we know the job is done poorly — no matter how good you are at it.”
Aitel’s conclusion? It’s not even a job worth doing.
But the problem’s even larger than that, Aitel argued, since “vulnerability triage is broken.” If we know that we can never truly get caught up — then what’s the point?
Aitel underscored the point later in the debate. “Attackers can read git commit messages. They will always be faster than your security team at patching because they’re faster than security vendors at patching. We saw this with log4j, and we’re going to see it with everything else.” He even added this dire prediction. “Solar Winds was just the beginning. The supply chain is going to eat us alive in the next five to 10 years! If we think patching is the answer, we might as well just… give up and go home.”
And later Aitel even pointed out that the infamous SolarWinds vulnerability was an update — so “Securing the patches themselves is a problem we have not solved.”
Wylie pushed back, insisting that patching can still be a component of a multi-pronged approach — also asking, what’s the alternative? “if we give up on all these things and we don’t do it, then what protection do we have? Some of these things may not be the end-all/be-all — maybe patch management may not be what protects us. But I think it’s just part of a necessary process…”
The two struggled to find a common ground. Aitel and Wylie agreed there’s been ongoing discoveries of as-yet-unpatched “zero-day attacks” — and Aitel notes that they’re exploitable by the most worrisome of attackers. But then Aitel asks a pointed question: so then what’s the purpose of patching in a world with steady streams of new exploitable holes? And Wylie had to acknowledge that patching — and even penetration testing — couldn’t address a hole so new that its existence is not yet known.
On the other hand, Aitel conceded that the attack surface management Wylie recommends “is pretty darn valuable. I think that’s where our brains need to go. I think that’s how you rule people out.
“I don’t think you rule people out by patching. I think you rule them out by not being vulnerable in the first place,” he said.
Aitel argued that the best first step is reducing attack surfaces — understanding what’s insecure and what’s exposed. And Wylie agreed — advising vulnerability scanning and checking for assets, as well as using firewalls and performing configuration checks. But Wylie still saw that as a part of his favored layered approach — which includes patching – and several times pointedly reiterated his faith. “In my opinion, you just can’t do nothing… I can’t help but think that patching is going to help… ” At least as part of a larger suite of security tools.
“I think everything has a place. We just need to make sure it’s all in place. Make sure everything’s secure to begin with, and not just rely on endpoint protection. You have to make sure you look at the overall security.”
Wylie seemed bemused. He agreed with some of what Aitel was saying, but “I just can’t agree with not patching at all… Based on my past experience working in IT and other areas, having to patch against those things and how much it can affect the company — it’s just kind of hard to totally give up on the patching thing!”
At the end of the debate, a vote was held, and 56% of the voters ultimately agreed with Wylie: that patching isn’t useless.
But 44% of the audience still disagreed.
- A UCLA digital studies professor ponders Agile’s history – and its shortcomings.
- The game of Dungeons and Dragons that’s lasted 40 years.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker.