Upstream is June 5, and wow, our schedule is shaping up brilliantly. Over the next few weeks we’ll give you a sneak preview into some of the talks and the speakers giving them via posts like these. RSVP now!
How does your organization currently think about vulnerability management? Is your goal to “patch everything” to try to get the number of vulnerabilities left in your codebase to zero? This sounds like a noble goal, but as the chart below shows, the number of vulnerabilities being reported increases exponentially year over year, which is one of the things that makes this a very challenging strategy to execute.
Development teams are now often overwhelmed triaging long lists of vulnerabilities, with little context on which are the most important to patch to actually reduce risk. Open source maintainers are also swamped with vulnerability reports to investigate, many of which end up being false positives. We’ve managed to create an endless game of security whack-a-mole and, worst of all, it may not actually be delivering the actual outcome we desire: actual risk reduction.
In the spirit of this year’s Upstream theme, “unusual ideas to solve the usual problems,” we asked Forrest Brazeal to do a series of cartoons illustrating some of the “usual problems” facing open source that need unusual solutions, and he happened to pick this very subject for one of them.
Against this backdrop, we are delighted to welcome Vincent Danen, vice president of Red Hat Product Security, as a first-time speaker at Upstream this year! Vincent will be joining Tidelift CEO and co-founder Donald Fischer to suggest a very unusual way to improve open source software security: a patch management revolution!
Earlier this year, Vincent wrote a blog post series entitled “Patch management needs a revolution” in which he makes the case that we haven’t really challenged our thinking around “patching everything” in about 40 years. Yet, available evidence shows that most vulnerabilities do not and will not ever see exploitation. Vincent makes the point that even if we patch everything at once, that will probably only reduce the number of breaches by 5%.
By changing how we think about open source software supply chain security from an exercise in creating “vulnerability-free” software (a compliance-driven exercise) to one where the purpose is minimizing the potential or severity of a breach (a risk-driven exercise), we may actually reduce our security costs and improve our outcomes at the same time.
If this sounds like the kind of revolution you’d like to join, or if your organization is feeling the pain of being on the “patch everything” vulnerability management journey, join us at Upstream on June 5 to hear Vincent share his ideas in person.
About Vincent Danen
Vincent joined Red Hat in 2009 and has been working in the security field, specifically around Linux, operating security and vulnerability management, for over 20 years. These days his focus is more on growing talented leaders and leadership skills and protecting customers and communities from existing and emerging digital security threats. Vincent believes in open source principles, such as meritocracy, transparency, collaboration, and uses them daily to achieve these goals along with core personal principles such as integrity, honesty, and trust.