Patching vulnerabilities is the equivalent of the security industry’s thoughts and prayers, a leading US security expert said during a panel discussion on the topic “Patching Is Pointless” at a recent conference in line titled Hack At The Harbor.
Dave Aite46, a former NSA computer scientist who ran his own security store, Immunity, for many years, says remedies offered by security vendors and big tech companies have been used to lull people into a fake sense of security all these years and to ensure that all the old problems remained.
He was referring to the standard phrase offered by politicians whenever there is a mass shooting in the United States and there are calls to action against guns. The status quo is maintained due to the influence of the arms industry.
Aitel spoke for the motion while his opponent, Phillip Wylie, a well-known offensive security expert and tech evangelist at CyCognito, argued that the patch was not entirely useless, but one of many tools in the game. arsenal of a defender. Wylie’s arguments were somewhat nuanced, while Aitel used clear, concise sentences, with an occasional dash of wicked humor.
the conference was organized by Dot3 Security April 8 and 9. Aitel posted a YouTube clip of the debate on Twitter on April 18.
The patching debate is useless. Phillip Wylie is top right, the moderator is top left and AItel is bottom.
Aitel stressed that if there are any vulnerable devices on a network, they should be removed and replaced with others, rather than permanently patched.
During his time at Immunity – which he sold to Cyxtera Technologies in 2019 – Aitel said many of his clients were large financial firms and he had indicated that any contracts they signed with software vendors also contained a clause that would allow them to get out of contracts if software turned out to be too buggy.
He said it could be a way to prevent large companies from being forced to continue using security solutions even if they were a constant source of grief.
Aitel compared the patches to orange juice – a common part of breakfast in the US – pointing out that for many years people had believed it was the most useful part of the morning meal. In the end, it turned out to be a source of too much sugar and something that made people obese, he added.
He had harsh words for Microsoft and other major software companies, which he said had done little to alleviate the problems posed by shoddy software. He also criticized PHP for its many security issues.
Aitel was no less harsh on Linux, noting that the biggest contributor to the kernel was Chinese telecommunications provider Huawei Technologies, which he said had been indicted by the United States, and asking how anyone could get away with it. content if so many patches came from one company. Of this genre.
On the positive side, he praised ChromeOS, an operating system produced by Google, and recommended using Chromebooks over Windows machines.
Aitel called for vulnerability management, advocating that the government be the best entity to handle this. His argument was that no other entity had enough power to fend off the lobby of large software companies and the security industry.
Surprisingly, the public vote to determine the winner of the debate went to Wylie’s side, with 56% of those present supporting his position.