Products
Contrast Application Detection and Response (ADR)

Contrast Application and API Security Testing (AST)

Contrast One^TM

Contrast Runtime Security Platform

Contrast Protect (RASP)

Contrast Assess (IAST/DAST)

Contrast Scan (SAST)

Contrast Software Composition Analysis (SCA)
Developer Central

Log4j Response

Pricing

How We Compare

Languages

Integrations
Solutions
BY USE CASE

Why IAST?

DevSecOps

Automated Penetration Testing

AppSec Monitoring

API Security

Software Supply Chain Security

Runtime Protection

Software Bills of Materials (SBOMs)

GitHub CI/CD

Compliance Testing

Services

BY DEPARTMENT

Dev and DevOps Teams

Security

DevSecOps

CISO

BY INDUSTRY

Government

Financial Services

Healthcare

Others
Partner
Technology Partners

Systems Integrators

Ecosystem Integrations

Managed Security Services Providers

Channel Partners Overview

Cloud Partners

GitHub
Partner Program Overview

Become a Partner

Find a Partner

Visit Partner Portal
GITHUB ACTIONS BLOG SERIES, PART 1: PIPELINE NATIVE CODE ANALYSIS

Read the Blog
Customers
Company
About Us

Leadership Team

Culture & Careers

Women of Contrast

Contact Us
Blog

Events & Webinars

Newsroom

Podcast

Awards
Contrast Security recognized as a Visionary by Gartner in Application Security Testing.

Learn More
Resources
Contrast for Developers

Contrast Secure Code Learn Hub

Contrast Community

Resource Center

OWASP Top 10

Accountability & Transparency

SBOMs

ContrastLive

Support

Services

Trust Center

Documentation

Product Release Notes

Blog

Podcast

Events

Glossary
Contrast Incident Response Hub

Spring4Shell Vulnerability

Log4j Vulnerability

Weekly CISO Update

Trust Center
Developers

Application Security: Changes to Microsoft Patch Tuesday

By Jeff Williams, Co-Founder, Chief Technology Officer

October 17, 2016

Application Security: Changes to Microsoft Patch Tuesday

Everyone should be patching like Microsoft.

You can argue with some of the tiny details about how Microsoft schedules patches, but the elephant in the room is that nobody has thought through continuous patching better or for longer than Microsoft.

Application-security-patch_tuesday_office_forefront.jpg All software needs to be patched. There will always be new attacks on software, new classes of vulnerabilities, and new zero-days discovered. The only way to handle these is to be really good and fast at patching.

For the vast majority of software, patching is damn near impossible. Commercial products, embedded systems, cars, drones, dishwashers, televisions, etc… It’s virtually impossible for the typical user to get and apply patches. That’s the Achilles’ heel in the Internet of Things. We are going to be dealing with this for decades.

Most open source doesn’t patch at all. Instead, you just have to move on to the next version of the software. This could involve many API changes that require recoding, retesting, and redeployment. That’s just not feasible for many types of software. Heck, it’s pretty close to impossible to even get notified that libraries you are using even have a problem.

The average time between a vulnerability being published and the surge of exploits is 4 days. That’s the window for patching. We are in the Stone Age here. We need end-to-end notification and patching across the entire software supply chain. We simply have to make this problem easier.

Application security patches are particularly critical, and we have some alternatives here. They might be traditional software patch with the concomitant installation and testing issues. But security patches might also be designed to defeat the attack, rather than trying to fix the software. This might seem like a minor difference, but using Runtime Application Self-Protection (RASP) minimizes the work required to effectively stop new vulnerabilities and attacks without requiring a complete software update.

So whatever you think about Microsoft’s recent changes, it’s clear that almost everyone else nowhere even close. Basically, we need a “Windows Update” for everything – particularly those Internet Things we keep hearing about.

Thought Leaders

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.

TechTarget: "Getting runtime application self-protection launched"

Is There a 3rd Category of Application Security Tools Beyond Static & Dynamic?

BY USE CASE

BY DEPARTMENT

BY INDUSTRY

GITHUB ACTIONS BLOG SERIES, PART 1: PIPELINE NATIVE CODE ANALYSIS

Contrast Security recognized as a Visionary by Gartner in Application Security Testing.

Contrast Incident Response Hub

Application Security: Changes to Microsoft Patch Tuesday

Jeff Williams, Co-Founder, Chief Technology Officer

Loving our content? Subscribe now!