Last week was a big week for vulnerability teams:

• Microsoft’s monthly Patch Tuesday covered 72 vulnerabilities including 1 zero-day exploit actively being exploited in the wild,
• Adobe patches cover 160 vulnerabilities across 16 products,
• CISA released 10 advisories for industrial control systems,
• Apple released security patches for nine products / operating systems addressing 46 different vulnerabilities,

plus a variety of patch releases from various other vendors like Linux, Ivanti, Siemens, Schneider Electric, Rockwell!

Now IT and security teams across the World spring into action, confirming whether they have any of the products affected, testing applicable patches to understand if they break more than they fix, attending Change Advisory Board meetings to justify the planned outages, communicating to users which of their applications will be interrupted in the coming weeks all while hoping the patches can be applied before the threat actors can reverse engineer the patches and deploy exploit code. It is an expensive and arduous part of managing IT systems.

I suppose we should be thankful that the vendors put the efforts in to create these patches to keep us protected, but wouldn’t it be better if the vulnerabilities didn’t make it into the products in the first place? Imagine a world where vendors are held accountable for the crappy code they sell to us. If you could charge the vendors for the cost of your vulnerability program, they would be incented to minimize those costs and write better code. As it is, we pay the licensing fees to use the products AND we pay the bulk of the costs to manage, maintain and patch those systems. Pretty sweet deal for the vendors, pretty crappy deal for the customers. Technology companies make record profits, customers have chronically underfunded security and vulnerability management teams. This doesn’t seem like a winning formula, and doesn’t seem like it is going to change any time soon.