(image by Barbara Helgason, via Adobe Stock)
"If you didn't already know that patching introduces risk, well...now you know," says Brad Causey, CEO of security consulting and penetration testing firm Zero Day Consulting.
Causey is referring of course to the recent attack on SolarWinds that shook the industry. Software updates for SolarWinds' Orion network management software were used to distribute the Sunburst/Solarigate backdoor Trojan to some 18,000 organizations worldwide. (Note: SolarWinds is, itself, also a provider of third-party patch management services. However, those services do not appear to have been affected by the recent attacks.)
"We're introducing risk by trying to reduce risk," Causey says.
This isn't a new thing though, he says, and testing patches before deployment is standard best practice. Yet, patch testing is generally done to avoid operational snafus, not security threats. It's meant to spot a code library change that prevents three other applications from running; not to spot a backdoor Trojan.
With the Sunburst/Solarigate attacks fresh in mind, though, is it time to revamp patch testing procedures? How can enterprise infosec teams tackle patch management securely? Here's advice from security experts on what to do now.
Causey and others say that a supply chain attack on the scale and sophistication of SolarWinds is harrowing, but i ..