Fresh Thoughts #141: The Traditions of Vulnerability Management
- Newsletter
Over the weekend, I went to York - a place steeped in history and ancient ways.
History and tradition weigh heavily on the surroundings - from its City Walls and 13th century Minster to its Roman archaeology.
My visit reminded me of a keynote I saw earlier in the week by HD Moore 25 Years of Vulnerability Mismanagement.
For the unfamiliar, HD Moore has been a significant player in cybersecurity for several decades. His focus has been on vulnerabilities, and he has an impressive history of projects.
In 2006, he launched the Month of Browser Bugs project.
The first time anyone had consistently released a previously unknown vulnerability every day for a month.
Most infamously - HD Moore created Metasploit in 2003.
Metasploit is a tool that enables junior penetration testers to chain various pre-built attack tools and exploits together to trivialise breaking into insecure computer systems.
In his keynote, HD Moore provides a history of vulnerability management and highlights some startling points.
For example, the interface to vulnerability management tools hasn't changed in 25 years.
Moreover, the industry's current focus is on tools to help prioritise which vulnerabilities are significant - rather than how to fix them.
The keynote paints a gloomy picture.
But how did we get here?
History and Ancient Ways
The path is one of tradition, linking back to the founding of the cybersecurity industry.
It is a tradition of young security enthusiasts learning their skills on the wrong side of the law...
Then, they realise there is another way - legally reusing their skills as ethical hackers and security consultants.
Over time, their old vulnerability discovery tools became vulnerability management tools.
Tools which continue to operate with a dual purpose.
They start by finding vulnerabilities.
However, from that point, the operator decides whether the vulnerability will be used for nefarious exploitation or patched and secured.
Over the years, the vulnerability management industry has blossomed and is valued at over $16B.
However, it strikes me as odd - that the market for finding a problem (vulnerability management) is over 26 times larger than the one for fixing the problem (patch management).
I can partly explain the difference as the human bias to pay more for painkillers than vitamins. Noting that the pain of vulnerabilities is amplified and agitated as part of the management process we pay for...
But, I also see the traditions and origins of vulnerability management remaining an undercurrent and tainted lens through which we still see cybersecurity.
It makes me wonder - is there another way?
October 22, 20242 Minutes Read
