Security Patches: The Whole Strategy or Only Part of It?

If the name Pavlov rings a bell, there’s a good chance you’ve heard of his famous experiment. To sum it up for you, Ivan Pavlov was able to associate food with the sound of the ringing bell to the point that the bell itself would make initiate a response from the participant. 

It’s a neat finding because it proves that with enough reinforcement, there’s a tendency that develops to automatically associate one thing with another. It’s also something that we’ve seen happen with security for IBM® software over the years too: security patches = security for IBM® software. 

Think about it: there’s an announcement of a vulnerability for IBM® WebSphere and almost instinctively, your mind wanders to where and how quickly you can get a security patch for it. Of course, there’s no surprise that this is common because it’s IBM’s responsibility to provide the patches! 

But security patches aren’t the only way your company can protect itself against vulnerabilities. In fact, there are a lot of things a business can do with its software to protect itself from vulnerabilities before they’re even discovered. 

Here at Origina, we implement a layered approach to cybersecurity for our independent third-party software support customers so that they’re not relying on a security patch as their saving grace. Let’s walk through why and how we do it. 

Security Patches: Not a Silver Bullet 

We often hear from prospective customers, “How can Origina keep our software secure if it can’t write security patches for it?” and it’s a fair question to ask.  

While we can of course help a customer install security patches that they’re entitled to – which can mitigate a new vulnerability depending on what it is – we obviously can’t write a security patch for a brand new vulnerability because that would be infringing on IBM’s code. But that also doesn’t mean there’s nothing that can be done to secure a product without a security patch. 

Let’s take a step back – what do you get with a security patch? You might think of it as IBM protecting your software, but in reality it’s IBM protecting its own software from security risks. In other words, IBM doesn’t release that security patch because it knows your security strategy relies on it. It releases the security patch because it wants to shore up any faults in its product! 

That’s an important distinction to make because when the foundation of your security strategy is to wait on another company to release a security patch, you may find that its interests don’t necessarily match up with your own. It could take IBM months to develop, test and release a security patch – if they do at all – during which time, the vulnerability still remains at risk of being exploited. 

This isn’t all to say that security patches aren’t valuable, because they certainly are. IBM® Fix Packs and security patches are the first place we’ll look when we find a vulnerability in a customer’s application. It’s important to recognize though that they’re not the gold standard for security; they’re the safety valve. 

An effective, well-executed security strategy will aim to reduce what’s called the attack surface, which is essentially the amount of potential entry points a cybercriminal can exploit. By closing off the attack surface, there’s less of a chance you’ll even need a security patch. 

While security patches play a part in closing off those entry ways, their role is small compared to some of the other tactics that can be used. These techniques won’t supplant a security patch, but they will greatly supplement what a security patch accomplishes – protecting your business from security risks. 

Origina’s Layered Approach to Cybersecurity 

Origina builds security into the software support and maintenance conversation from day one with its service transition review. By taking the time to identify common security risks – and threats to performance and stability! – that have gone unresolved, technical teams can begin sealing off the attack surface with best practice recommendations. 

Through product hardening, companies can configure IBM applications in the most secure way possible. Vulnerabilities will often be composed of common security risks that are easily amended, like user access levels or open ports, and product hardening aims to take those risks out of the equation. In fact, product hardening can reduce as much as 85 percent of security risks! 

We also help customers take advantage of the ModSecurity open-source web application firewall. When properly implemented and leveraged, we’ve found success in mitigating vulnerabilities that still existed after a security patch. The tool relies on common signatures that cybercriminals leave when they launch an attack. By recognizing that signature and preventing that entry point from being abused, companies can effectively ‘virtually patch’ against emerging security threats. 

When a vulnerability or a security risk is identified within a customer’s environment, we’ll then take a look at security patches that they’re entitled to and that we’ve downloaded before they became a customer with Origina. As you can see though, there’s a lot of work that takes place before then! 

We’ll first check the collection of Fix Packs and security patches that the customer is entitled to. If there isn’t a solution there, we’ll look to what’s called a ‘workaround’ as a way of mitigating the vulnerability. These are product-specific fixes that involve our independent Global IBM® Experts looking at how the vulnerability is exploited and implementing changes to the way the application is used or runs to stop a cybercriminal from exploiting it. If those defence mechanisms fail, we’ll look to develop, test and implement independent code, which provides the same benefit as a security patch without us infringing on IBM’s copyrights. 

If you want to learn more about our approach to security, there’s a great webinar on it located here.

Security Patches: The Whole Strategy, or a Part of It? 

Security patches are an incredibly important part of a well-maintained security strategy and they should always be accounted for when considering how to protect an application. But they can’t be relied on as the only line of defense because there are other options out there that can prevent the possibility of a vulnerability affecting a business. 

Here at Origina, we incorporate security patches as a part of the bigger picture. They’re not a silver bullet, get out of jail free card – they’re one of the elements of a secure infrastructure. 

Watch our webinar to learn more about how we deliver security or read our guide to third-party software support to get more information on the risks and advantages of independent support for IBM® software.