{"href":"http://player.captivate.fm/services/oembed?url=http%3A%2F%2Fplayer.captivate.fm%2Fepisode%2F6f31b0eb-ec8a-4582-8a86-6ca59781409b","version":"1.0","provider_name":"Captivate.FM","provider_url":"https://www.captivate.fm","width":600,"height":200,"type":"rich","html":"","title":"Security advisories are falling short. Here\u2019s why, with Dustin Childs","description":"Decades ago, patching was, to lean into a corny joke, a bit patchy.\u00a0\nIn the late 90s, the Microsoft operating system (OS) Windows 98 had a supportive piece of software that would find\u00a0security patches for the OS so that users could then download those patches and deploy them to their computers. That software was simply called Windows Update.\u00a0\nBut Windows Update had two big problems. One, it had to be installed by a user\u2014if a user was unaware of Windows Update, then they were also likely unaware of the patches that should be deployed to Windows. Two, Windows Update did not scale well because corporations that were running hundreds of instances of Windows had to install every update\u00a0and\u00a0they had to uninstall any patches issued by Microsoft that may have broken existing functionality.\nThat time-sink proved to be a real obstacle for systems administrators because, back in the late 90s, patches weren't scheduled. They came when they were needed, and that could be whenever Microsoft learned about a vulnerability that needed to be addressed. Without a schedule, companies were left to react to patches, rather than plan for them.\u00a0\nSo, from the late 90s to the early 2000s, Microsoft standardized its patching process. Patches would be released on the second Tuesday of each month. In 2003, Microsoft formalized this process\u00a0with Patch Tuesday.\u00a0\nAround the same time, the United States National Infrastructure Advisory Council began researching a way to communicate the severity of discovered software vulnerabilities. What they came up with in 2005 was the Common Vulnerability Scoring System, or CVSS. CVSS, which is still used today, is a formula\u00a0that people\u00a0rely on to assign a score from 1 to 10, 10 being the highest, to determine the severity of a vulnerability.\nPatch Tuesday and CVSS are good examples of what happens when people come together to fix a problem with patching.\u00a0\nBut as we discuss in today's episode of the Lock and Code podcast with host David Ruiz, patches\u2014both in effectiveness and education\u2014are backsliding. Companies are becoming more tight-lipped about what their patches do, leaving businesses in the dark about what a patch addresses and whether it is actually critical to their own systems.\u00a0\nOur guest Dustin Childs,\u00a0head of threat awareness for Trend Micro Zero Day Initiative (ZDI), explains the consequences of such an ecosystem.\u00a0\n\n\"If you're not getting the right information about a vulnerability or a group of vulnerabilities, you might\u00a0spend your resources elsewhere and that vulnerability that you didn't think was important becomes very important to you, or you're spending all of your time and, and energy on.\"\n\nTune in today.\u00a0\nShow notes and credits:\nIntro Music: \u201cSpellbound\u201d by Kevin MacLeod (incompetech.com)Licensed under Creative Commons: By Attribution 4.0 Licensehttp://creativecommons.org/licenses/by/4.0/Outro Music: \u201cGood God\u201d by Wowa (unminus.com)","thumbnail_width":300,"thumbnail_height":300,"thumbnail_url":"https://artwork.captivate.fm/f127dab6-61cc-403a-bb7f-b7c63caa5051/lock-and-code-logo-2021-ar2rs.jpg"}