The Time of Much Patching is Coming
The Time of Much Patching is Coming 🚀
The reality is that software engineering is hard. Identifying and fixing bugs before they make it into production code is challenging. Source code peer review and extensive unit testing have improved code quality, but bugs still get through. Not every bug is a vulnerability, and not every fault that appears to be a vulnerability can be usefully exploited. However, skilled vulnerability researchers are a scarce resource and can only review so much software. AI is the great hope for improving software quality. Iterative improvements in AI’s ability to find bugs mean that each new version of these systems is better than the last. We’re now at the point where AI, although still not as good as a skilled vulnerability researcher, can scan code to find errors at a scale and speed that human analysis cannot match. Used well, it can identify potential vulnerabilities before they reach production.
In the long term, this is very good news. Better automated review and analysis of software is how we will improve code quality. However, in the short term, decades of technical debt and latent errors will be uncovered and will need to be addressed. To make things more complex, threat actors will have access to these same tools to search for exploitable vulnerabilities for their own ends.
The result is likely to be a surge in patches. More vulnerabilities discovered means more fixes released, placing additional pressure on already stretched operations teams. Many of these patches will be urgent; some will address vulnerabilities that are being actively exploited. Without proper planning, the volume of fixes may outpace an organization’s capacity to deploy them.
The surge of patches has yet to happen, but the first signs may already be visible. Now is an excellent time to consider how you prioritize patching, apply patches at scale, and manage systems that cannot be patched quickly—or at all. We can reflect on these questions now and improve our processes, or we can flounder when the surge of patches arrives. Either way, ready or not, the time of much patching is coming.