The Evolution of Vulnerability Management: From 2003 to Today
The year is 2003. It’s a Saturday afternoon and you’ve just finished speed reading the copy of Kevin Mitnick’s The Art of Deception that Jay at work lent you last week, switched on your new iPod to listen to some music, and you’re absent-mindedly wondering what Jennifer Lopez and Ben Affleck’s wedding will be like.
Firing up your computer and connecting to dial-up to jump on the internet, you immediately head to Slashdot. The latest news is a bit ominous: ‘MS SQL Server Worm Wreaking Havoc.’ Apparently, 5 of the world’s 13 root nameservers are down. Hopefully, this won’t be a headache at work on Monday…
2003 was a lifetime ago
20 years in the tech world is enormous. Back in 2003, we were referring to cyber attacks as worms, MySpace was just starting out, and the hacker group Anonymous was formed. While personal computing was becoming pervasive in much of the world, enterprise cybersecurity was a relatively niche field. In Bruce Schneider’s talk at NetSec 2002, he wisely said, “Adequate security at a reasonable cost is what companies require, and CEOs won’t start to care about security until it gets monetized.”
Back then, companies needed to be sold on the idea of cybersecurity. Typically, it was only banks and very large businesses who were investing the time and energy into adequate vulnerability management. The smartest people in the room were sounding the siren, but few were listening.
A reflection to 2023
These days, of course, security is an essential function within any organization, big or small. Without vulnerability management tools and processes in place, organizations leave themselves open to an excessive amount of risk. The results of inadequate security programs can be attacks leading to loss or leaks of data, serious reputational damage, and even steep fines.
In 2003, cyber-attacks were feared because they were unknown, not because you thought they would happen to your business. In 2023, the fear is there because you now know that it could happen to your business. But the good news is that software security has come a long way.
Vulnerability management in the past
In 2003, vulnerability management was a different space. The skills required to choose, interpret, and coordinate scanning activities were more technically intensive than they are today. Patching activities required significant time investment and systems often went offline for lengthy periods to roll out and test these new changes. Orchestration and automation were only typically available via custom internal scripting. In the business, there was only usually one person who would know and care about security. OWASP had just been established.
Five years later, WikiLeaks was making mainstream news after publishing military details from Guantanamo Bay. This was big news in the cybersecurity space due to the conditions surrounding trusted insiders, contractors, and data flow monitoring. If secret documents by trusted insiders within the US military space could be leaked, then every business was at risk. Vulnerability management programs were adapted accordingly, with this new perspective. From others’ security incidents comes a chance for us to do better, after all.
WikiLeaks went on to publish many troves of information over the next few years: whistleblowing was hot. A 2009 ESG survey reported that “33% of the security professionals surveyed rated their enterprise organization as either “fair” or “poor” at classifying and tracking confidential data.” As governments and enterprises struggled to respond to a shift in security practices, executives finally hit the ‘GO’ button on funding for security. Tools began to become more user-friendly, well-maintained, functional, and modular than their previous versions.
From 2013 until now
Over the past 10 years, the number of large-scale data leaks has exploded, as cyber attackers become more concentrated in their efforts to steal valuable data. 2013 saw the release of the HaveIBeenPwned website, where users can check whether their email address was involved in any of the known reported data breaches. As data breaches went up, so did the regulations around the world surrounding the storage of confidential data at rest and in transit, and the reporting of data breaches. In 2021, Didi Global was fined a huge $1.19B for violating laws including the Chinese personal information protection law. Accordingly, compliance activities within businesses became a big focus, and vulnerability management processes aligned with this new focus. Pre-Covid, ransomware was the big scary thing in the room, growing at a similarly scary rate, as businesses faced paying a ransom or losing system access and data - or both.
Over the past few years, more insidious and harder-to-nail-down attacks have come through the software supply chain: infiltrating systems thanks to a software package that’s packaged in someone else’s software package (and so on). While existing vulnerability management tools may surface all the third-party software and packages used within a system, do they also map that package’s dependencies, too? This trickle-down dependency web can make software security very difficult and is a good AppSec lesson in minimizing dependency footprints and isolating applications.
ArmorCode can help with modern risk-based vulnerability management
In 2023, you may be surprised that Jennifer Lopez and Ben Affleck actually did get married (albeit, 20 years later). However, you don’t want to be surprised and unprepared without a vulnerability management solution that has kept pace with modern threats to data and systems, packaged with real-time information available at a glance. Modern vulnerability management is more than just infrastructure. Vulnerabilities are found in applications as well, and that attack surface must be brought into the picture. The ArmorCode platform unifies application security and infrastructure vulnerability management to help organizations understand and improve the state of their overall product risk, so they can build more secure software, right from the very beginning.
Speak with an ArmorCode vulnerability management expert to learn more about our unified vulnerability management platform & how it can benefit you.