The time of much patching is coming

In this week’s newsletter, Martin reflects on what the next iteration of AI tools means for vulnerability discovery and our ability to manage large-scale patch releases.

Welcome to this week’s edition of the Threat Source newsletter.   Many solutions have been proposed to reduce software bugs: zero-defect mandates, pair programming, formal methods, and mathematical software proofs. The reality is that software engineering is  hard . Identifying and fixing bugs before they make it into production code is  hard . Source code peer review and extensive unit testing have improved code quality, but bugs still get through.   Not every bug is a vulnerability, and not every fault that appears to be a vulnerability can be usefully exploited.

Nevertheless, through extensive testing and review, a skilled vulnerability researcher can still uncover faults in software that has already undergone rigorous quality assurance. However, skilled vulnerability researchers are a scarce resource and can only review so much software.   AI is the great hope for improving software quality. Iterative improvements in AI's ability to find bugs mean that each new version of these systems is better than the last.

 We’re now at the point where AI, although still not as good as a skilled vulnerability researcher, can scan code to find errors at a scale and speed that human analysis cannot match. Used well, it can identify potential vulnerabilities before they reach production.   In the long term, this is very good news. Better automated review and analysis of software is how we will improve code quality. However, in the short term, decades of technical debt and latent errors will be uncovered and will need to be addressed.

To make things more complex, threat actors will have access to these same tools to search for exploitable vulnerabilities for their own ends.   The result is likely to be a surge in patches. More vulnerabilities discovered means more fixes released, placing additional pressure on already stretched operations teams. Many of these patches will be urgent; some will address vulnerabilities that are being actively exploited. Without proper planning, the volume of fixes may outpace an organization's capacity to deploy them. The surge of patches has yet to happen, but the first signs may already be visible.

Now is an excellent time to consider how you prioritise patching, apply patches at scale, and manage systems that cannot be patched quickly — or at all. We can reflect on these questions now, and improve our processes, or we can flounder when the surge of patches arrives. Either way, ready or not, the time of much patching is coming.   The one big thing  In Cisco Talos’  latest blog , we outline the differences between responding to state-sponsored threat actors and handling commodity ransomware.