Every IT and security professional knows that applying vendor-supplied patches is both necessary and an operational problem. While Microsoft’s “Patch Tuesday” is well known and often anticipated (for planning purposes), other vendors release updates, point releases and security patches on an unpredictable schedule.
The volume of patches issued multiplied by the number of applications large organizations run makes this difficult to manage, and often expensive to implement across all devices. Studies show that even critical applications are often missed, either through improper prioritization, limited resources or lack of awareness. Need proof? The 2016 Verizon Data Breach Investigations Report found that “99.9% of the exploited vulnerabilities had been compromised more than a year after the associated CVE was published.”
Known vulnerabilities are not restricted to commercial applications, of course. Open source, which can comprise over 70% of an application, has its share of vulnerabilities as well. The difference with open source is that nobody is “pushing” updates or patches to the users of vulnerable open source components. You elect to use open source. Therefore you’re responsible for monitoring those components and applications for updates, vulnerabilities and patches.