Don’t forget to patch, patch, patch
And that leads to the second fundamental: Know what you have and keep it up to date—as in, patch, patch, patch. That applies both to vendors and their customers.
Tim Erlin, vice president of product management and strategy at Tripwire, said besides secure development practices, vendors need “a process for remediation of any discovered vulnerabilities. For vendors, the problem isn’t really fixed until their customers actually apply a patch or other mitigation.”
Justin Hutchings, senior product manager of security at GitHub, the code-sharing and publishing service that also manages and stores revisions of projects, agreed. Obviously, it is the responsibility of companies to disclose and provide fixes for vulnerabilities in their software.
But once the vulnerability has been disclosed, “it’s the responsibility of downstream software projects and IT organizations to patch vulnerabilities,” he said.
And the reality, which confirms the Tripwire findings, is that not all of them do. “In the last year, we’ve sent nearly 27 million security vulnerability alerts to vulnerable software projects on GitHub,” he said.