'people will finally understand that security bugs are bugs, and that the only sane way to stay safe is to periodically update, without focusing on "CVE-xxx"'

Anyone care to explain the logical flow of this sentence? o.O

https://lwn.net/Articles/1065620/

#Linux #LLM

1) "people will finally understand that security bugs are bugs" - Tautology?
2) "the only sane way to stay safe is to periodically update" - What about attack surface reduction? Risk based mitigations? How does this assertion relate to 1)?
3) "without focusing on 'CVE-xxx'" - CVEs are useful to find information to implement appropriate controls (see 2)). Unless of course the CNA spams the database with useless data....

@buherator I think he sees it from the vulnerability managment as an integrator perspective. Currently a lot of organisations only see the need to update certain systems, if there is a vuln with a proven exploit. Otherwise the risk is not big enough to justify the effort to fix from their perspective. Especially for hard to patch systems. This might be the "focus on the CVE" he describes.

@twomikecharlie But CVEs have very little to do with exploits. Also, there is a whole range of perfectly valid strategies to manage risk from vulns (see my 2nd post in the thread).

I'm all for fixing all vulns, but reality just doesn't work like that and I don't see how the problem statement (some vulns are becoming easier to discover) would affect this.

@buherator I think they're trying to say that the best security practice is to always update, rather than staying on old versions until CVEs show that it's not safe.

I know of way too many companies that do the latter.

@buherator First: I disagree with his statement. I think to build secure software it is necessary to think of structural and architectural security problems, not of single vulns.

But: What I think he is suggesting, is that there are currently orgs who spend a lot of resources in "vulnerability managmenent" which could just patch. If there will be a flood of vulns their processes get overwhelmed and they will finally just patch without thinking to much about if it is actually necessary.

@twomikecharlie OK this sounds plausible, but I find it hard to come to this conclusion (or any) from the original sentence. Esp. because the "only sane way to stay safe" part is simply false (see supply chain issues, breaking changes, etc.).

@troed This may be it, thanks! Still, a shortsighted stance a and a very badly phrased sentence.

@buherator it's a very narrow perspective on the problem, but I've encountered it before.

@buherator We're also finding it's not necessarily even good advice - with the increase in bad actors getting access to OSS projects and injecting attacks, is it even a good idea to take patches quickly? Which is riskier: there might be an unknown vulnerability in an old unpatched version; or there might be a vulnerability deliberately injected into the latest version?

@jdonoghue Exactly, see my other replies in the thread!