You don't have to patch!
Details
A standing premise in engineering and security is that in order to be secure you have to have all security patches applied and your software be up to date. This advice seems obviously correct but can also be the source of a lot of frustration, cost and fragility in production systems. Security patches often have to be rushed out, can be poorly tested, sometimes subtly change behavior and can cause performance, availability and even security problems to get introduced. Not only that, when vulnerabilities occur in third party systems, your ability to patch or upgrade can be dependent on a vendor or a party you don’t control.
Infrastructure as Code (IaC) and the use of containers and orchestration complicated matters by forcing patching to any part of the application or infrastructure cause a full application build. For smaller sized apps, this isn’t really relevant, but it’s a real problem for apps that take hours to build and even more to test before being able to deploy again. This can highly discourage people from patching as fast as they can. Automated patching isn’t the answer as well, as the risk of breaking the application is too high. So, certainly, there must be another way.
What alternatives are there then? In this talk, we will argue that an alternative is to use sandboxing and isolation to limit the blast radius of exploits. We will also look at three different examples in networking, in server side rendering and a web client on how you can architecture a system using sandboxing and isolation so that while patching remains necessary, the need to rush a patch out can be mitigated.
Hopefully, this talk can help security professionals better strategize how they spend their efforts to find a balance between finding and fixing vulnerabilities and patching them - and deploying mitigation or attenuation mechanisms assuming that no one can ever aspire to be 100% secure.
----
Pedro Fortuna Bio
CTO and Co-Founder at Jscrambler
Once on a trajectory to a full academic career, where he taught security and computer science courses for about 5 years - ended up falling in love with the fast-paced world of entrepreneurship. He Started Jscrambler where he leads all security research and drives the company's product innovation on application security. Has more than 15 years of experience researching and working on web security. OWASP contributor. A regular speaker at several international security conferences. Main research interests lie in the fields of Application Security, Web Security, Reverse Engineering, Malware, and Software Engineering. Builder of solutions that require code rewriting, sandboxing, or both. Author of several patents in application security.