It used to be a vulnerability was disclosed, a few people who paid attention to such things blogged about it, patches were made, and we went about our day. During this time, not enough people understood the importance of application security and remediating vulnerabilities. It wasn’t mainstream, and it certainly wasn’t considered major news. Application security just wasn’t getting the attention it deserved, and it was frustrating.
Then Heartbleed happened. It was a big deal. It disrupted productivity, caused breaches and shone the light on the fact that open source components are increasing risk in the application layer. Major media outlets covered the news, and the public began to better understand the need for application security.
While Heartbleed was a significant negative impact on businesses, the security industry was glad that at least application security was starting to receive some of the attention the seriousness of the issue required. By simply giving the vulnerability a name rather than a number (CVE-2014-0160), researchers made Heartbleed instantly recognizable and memorable, helping to put a spotlight on the issue. The buzz forced companies to evaluate their own exposure because the name was more real to boards and senior management than a number could ever be.
Soon, security companies started using Heartbleed as a marketing opportunity, because it was widely recognized and easily explained. As they began seeing success with this model, companies also started to do research into vulnerabilities so they could receive press coverage for finding them. Hype was good for business. This resulted in the branding of even minor vulnerabilities. At first, the increased exposure for this problem was positive. But, the pendulum is beginning to swing the other way, and I fear this over exposure will cause a backlash.
Do you remember the story of the boy who cried wolf? A young shepherd boy became bored and lonely tending to his sheep, so he yelled “wolf!” and the townspeople came running. When they arrived and noticed there was no wolf, they grumbled and went back to their homes. Amused with himself, the boy repeated his cry several times. Each time, the townspeople came running. Until finally a wolf actually showed up. This time when he called out for help, no one came running because they thought he was lying again. The situation did not end well for the boy.
We’ve all been told a variation of this story. So, I am watching in almost disbelief, minor amusement and a bit of fear as the same scenario is playing out in the security world.
Case in point: Late in March, security researchers pre-announced the disclosure of a vulnerability they call Badlock. The vulnerability won’t be disclosed until April 12, but it already has a website (badlock.org), a logo and marketing/PR hype galore. Pre-announced? It’s like Badlock is a new Apple product, and the researchers expect us to camp outside their offices waiting for the official announcement.
Though Heartbleed and subsequent major vulnerabilities like Shellshock and Ghost did help improve exposure for the critical issue of application security, AppSec still doesn’t receive the attention it deserves. I fear that overhyping minor vulnerabilities by branding them, pushing the topic with the media and yes, pre-announcing them will cause people to go numb to these announcements. After all, any journalist will tell you, when something happens too often it ceases to be news.
Today (or rather a few weeks from now), the hype is about Badlock. Tomorrow, the vulnerability disclosure could be akin to “the next Heartbleed” – a widely distributed, remotely executable vulnerability with mass exploitability. But because the frenzy around Badlock, or FREAK or VENOM or the other minor branded vulnerabilities, has caused companies to react quickly in the past, only to figure out later this overreaction cost them productivity too, companies will ignore the vulnerability and go about their day. When that happens, the state of application security will be worse off than before vulnerabilities started getting national attention. All the work we’ve done in the security industry to get attention for this critical area will be all but undone.