July Patch Tuesday forecast: Rules are changing for companies with custom applications

Every month I discuss the regular patches released for operating system or applications, but today I want to focus on some of the development components that are often overlooked. These components are becoming a larger issue for companies who build their own custom applications. Development components may even be an issue for companies who contract or purchase applications from a vendor.

As the world shifts more heavily into DevOps, an increasing number of development binaries are being integrated directly into applications. These binaries incorporate the capabilities of development frameworks directly into the application, rather than existing as a separate installation outside of the application. The result is a change in the rules of how vulnerabilities are addressed.

A good example of this change is .NET Framework vs .NET Core. Many applications have been built on .NET Framework. A specific version of .NET Framework must be installed as a pre-requisite to installing the application. When updates for .NET Framework that resolve security vulnerabilities are released, the patch management products can easily detect and deploy an update to .NET Framework. .NET Core is a component that contains the capabilities of .NET Framework, but is integrated directly into the application.

This eliminates the pre-requisite requirement on install, but also changes the paradigm for how vulnerabilities need to be managed. The development team now has to take on responsibility for updating .NET Core to resolve security vulnerabilities within the application because a patch or update is no longer applicable outside of the development process.

A second example involves the release of Java 11 by Oracle and the elimination of the Java Runtime Environment (JRE). With each quarterly Critical Product Update, Oracle now provides a new version of the Java Development Kit (JDK) containing the latest security fixes and feature updates. Like .NET Core, these component updates must be compiled into any product requiring Java. With previous Java releases, the end-users were required to update their own JRE, but the security responsibility has now shifted to the product developers using these JDK components.

Other examples of development binaries include Apache Struts, ChakraCore, ASP.NET CORE, Open Enclave SDK, and many others.

There has always been a reliance on developers to ensure product security, but the timing and shared responsibilities with the product users becomes very interesting now. In a cloud environment, the DevOps team can update applications at their own pace. If a new Java or .NET Core component is released, they can integrate, test and release so the customers are quickly running on a secure version. However, for on-premise and products allowing customers to apply or enable the updates at their discretion, the responsibility becomes shared.

The developers have the responsibility to provide the updates as quickly as possible, but the customers must accept and apply the updates. This can become challenging as I have seen many customers experience ‘release fatigue’ when the updates come fast and furious under the DevOps release plan. As a result, the customer must pick and choose which updates to apply, resulting in less secure systems. The good news is that in most situations, such as with a quarterly release of Java, the updates are spread out over time and can be applied.

Our recommendation to customers is to have a security conversation with internal development teams or your vendors in the case of custom applications being built outside of the company. Gain a clear understanding of what components are being incorporated into the applications your company uses and ensure they can be and are updated regularly.

Looking ahead to releases for next week:

• In addition to the usual operating system and application updates expected from Microsoft, take note of the security components that will be released.
• Expect several updates from Adobe. We should have the usual Flash updates but may see Acrobat and Reader as well.
• Don’t forget about the Oracle Critical Patch Updates coming out on July 16!