Some Vulnerabilities Are Forgivable, But Poor Patch Management Is Not
Table Of Contents:
At the start of the year, the UK’s National Cyber Security Centre (NCSC) called on the software industry to get its act together. Too many “foundational vulnerabilities” are slipping through into code, making the digital world a more dangerous place, it argued. The plan is to force software vendors to improve their processes and tooling to eradicate these so-called “unforgivable” vulnerabilities once and for all.
While ambitious in scope, it will take some time for the agency’s plan to bear fruit – if it does at all. In the meantime, organisations need to get better at patching. This is where ISO 27001 can help by improving asset transparency and ensuring software updates are prioritised according to risk.
The Problem with CVEs
Software ate the world many years ago. And there’s more of it around today than ever before – running critical infrastructure, enabling us to work and communicate seamlessly, and offering endless ways to entertain ourselves. With the advent of AI agents, software will embed itself ever further into the critical processes that businesses, their employees and their customers rely on to make the world go round.
But because it’s (largely) designed by humans, this software is error-prone. And the vulnerabilities that stem from these coding mistakes are a key mechanism for threat actors to breach networks and achieve their goals. The challenge for network defenders is that for the past eight years, a record number of vulnerabilities (CVEs) have been published. The figure for 2024 was over 40,000. That’s a lot of security updates to apply.
As long as the volume and complexity of software continues to grow, and researchers and threat actors are incentivised to find vulnerabilities, the number of annual CVEs will continue to surge upwards. That means more vulnerabilities for threat actors to exploit.
According to one estimate, a whopping 768 CVEs were publicly reported as being exploited in the wild last year. And while 24% of these were zero-days, most were not. In fact, while AI tools are helping some threat actors exploit vulnerabilities faster than ever before, evidence also suggests that legacy bugs remain a major problem. It reveals that 40% of vulnerabilities exploited in 2024 were from 2020 or earlier, and 10% were from 2016 or earlier.
What Does the NCSC Want to Do?
In this context, the NCSC’s plan makes sense. Its Annual Review 2024 bemoans the fact that software vendors are simply not incentivised to produce more secure products, arguing that the priority is too often on new features and time to market.
“Products and services are produced by commercial enterprises operating in mature markets which – understandably – prioritise growth and profit rather than the security and resilience of their solutions. Inevitably, it’s small and medium-sized enterprises (SMEs), charities, education establishments and the wider public sector that are most impacted because, for most organisations, cost consideration is the primary driver,” it notes.
“Put simply, if the majority of customers prioritise price and features over ‘security’, then vendors will concentrate on reducing time to market at the expense of designing products that improve the security and resilience of our digital world.”
Instead, the NCSC hopes to build a world where software is “secure, private, resilient, and accessible to all”. That will require making “top-level mitigations” easier for vendors and developers to implement through improved development frameworks and adoption of secure programming concepts. The first stage is helping researchers to assess if new vulnerabilities are “forgivable” or “unforgivable” – and in so doing, build momentum for change. However, not everyone is convinced.
“The NCSC’s plan has potential, but its success depends on several factors such as industry adoption and acceptance and implementation by software vendors,” cautions Javvad Malik, lead security awareness advocate at KnowBe4. “It also relies on consumer awareness and demand for more secure products as well as regulatory support.”
It’s also true that, even if the NCSC’s plan worked, there would still be plenty of “forgivable” vulnerabilities to keep CISOs awake at night. So what can be done to mitigate the impact of CVEs?
A Standards-Based Approach
Malik suggests that the best practice security standard ISO 27001 is a useful approach.
“Organisations that are aligned to ISO27001 will have more robust documentation and can align vulnerability management with overall security objectives,” he tells ISMS.online.
Huntress senior manager of security operations, Dray Agha, argues that the standard provides a “clear framework” for both vulnerability and patch management.
“It helps businesses stay ahead of threats by enforcing regular security checks, prioritising high-risk vulnerabilities, and ensuring timely updates,” he tells ISMS.online. “Rather than reacting to attacks, companies using ISO 27001 can take a proactive approach, reducing their exposure before hackers even strike, denying cybercriminals a foothold in the organisation’s network by patching and hardening the environment.”
However, Agha argues that patching alone is not sufficient.
“Businesses can go further to defend against cyber threats by deploying network segmentation and web application firewalls (WAFs). These measures act as extra layers of protection, shielding systems from attacks even if patches are delayed,” he continues. “Adopting zero trust security models, managed detection and response systems, and sandboxing can also limit the damage if an attack does break through.”
KnowBe4’s Malik agrees, adding that virtual patching, endpoint detection, and response are good options for layering up defences.
“Organisations can also undertake penetration testing on software and devices prior to deploying into production environments, and then periodically afterwards. Threat intelligence can be utilised to provide insight into emerging threats and vulnerabilities,” he says.
“Many different methods and approaches exist. There has never been a shortage of options, so organisations should look at what works best for their particular risk profile and infrastructure.”
