I was recently reading an interesting article from Eric Parizo at Tech Target -- “Time to ban dangerous apps? Exploring third party app security,” and while I agree with a lot of the points he makes in the article, I would argue that his argument that banning common applications is an answer to protecting your organization will not fly in the today’s business world.
As Dan Guido says in the same article, “every single piece of software you have is crap.” From a hacker/exploiter perspective, there will always be a vulnerable app. When you close down one application with holes, whatever you choose to use instead is going to have similar or other issues attackers can exploit.
Businesses will also incur the cost and penalty of having to re-train users to use these new applications and if there are dependencies on other software you use -- either COTS (commercial off the shelf) or internal home grown apps --then those need to be updated as well. One example is applications that leverage JRE’s.
From a business perspective, I recommend that the old adage, “the best defense is a strong offense” should be followed.
Parizo references two patch management solutions in the article, but says that users “either struggle to quickly identify and test high-priority security patches, or simply don't make it a priority.” Isn’t that what patch management solutions are for?
The root problem with many of the solutions in the market today is twofold. First, many are just too darn expensive for most organizations to afford. Unfortunately, the true cost of being exploited is not realized by many until too late.
Second is ease of use. As Parizo writes, Microsoft has gotten much better at protecting its OS’s from a security standpoint. It is also one of the few vendors out there that has an update service, Windows Server Updates Services (WSUS), as mature as it is, also provides functionality built into their server OS’s to aid in distributing their product patch. However, as Parizo writes, third party applications get left behind and do not enjoy the same luxury.
I believe patch management should protect both Windows and third-party applications. What about you? Would you ban common third-party apps at your company?