“If there’s a new OpenSSL patch that comes out, well, what do I do with that? How do I know which machines in my environment—either virtual or physical—need to be updated? And how do I do it? Who’s going to do it? The whole mitigation plan needs to be an ongoing, long-term effort.”
Fighting the good fight
All agree that as long as there is software, people will look to exploit weakness for whatever nefarious reason. But just because hacking ultimately can’t be stopped doesn’t mean it’s not worth the effort to try to secure software.
Rogue Wave’s Cope put it this way:
“It’s a little bit Darwinian…survival of the fittest. If you are patching these things as fast as you can in your enterprise, you’re going to fend off the hackers that are kind of at the bottom of the hacking food chain, the script kiddies and things like that. They know some basic techniques, maybe they’re old techniques even, but they still work on sites that aren’t being updated and patched. So if you’re doing your job as an enterprise and you’re applying with diligence and mitigating your risks, you’re at least going to cover the older known vulnerabilities, whereas the guy down the street who’s not doing that is going to be an easier target, and therefore the hacker that spends an hour trying to get into your site might find there’s easier pickings down the street. He’s feasting on the next guy and leaving you alone.
“It’s unfortunate, but you’re really not necessarily competing against the hackers; you’re competing against the other guys who aren’t keeping up their defenses as fast as you are. Kind of like, you need to put on your tennis shoes, not that you’re going to outrun the bear, but you’re going to outrun your friend.”