January 23, 2023

Software patching is the best way to reduce security and vulnerability risks, right? Wrong. Businesses are often surprised to learn that patching–which is touted by enterprise application providers like Oracle as the core to any good security posture–actually isn’t all that effective at reducing risk.

In 2022, over 20,000 common vulnerabilities and exposures (CVEs) were identified, but data shows that only 10% of CVEs ever get patched! And even when a vulnerability does get patched, it’s far from a quick and simple solution. On average, organizations take 60 days to patch critical vulnerabilities, and 62% of organizations say patching takes a back seat to other priorities.

That’s because patches are time and resource-intensive to test and implement. Additionally, seasoned IT professionals know that patches aren’t always effective. Worse still, patches can wreak havoc on customizations, requiring additional testing and workarounds to ensure there’s no disruption to operations.

Third-Party Support Offers a Proactive Approach to Security

Patching is an entirely reactive security strategy. Vendors only start working on a patch once they discover a vulnerability, leaving customers exposed for some time. This approach is particularly risky for zero-day vulnerabilities, which are vulnerabilities that have been announced publicly but not yet patched, making them easy targets for hackers.

Third-party support providers employ proactive risk mitigation strategies to greatly reduce the potential impact of vulnerabilities even before they’re discovered. This approach effectively protects against the 90% of vulnerabilities that aren’t addressed by vendor patches as well as zero-day vulnerabilities. Gartner supports this strategy, encouraging organizations to invest heavily in mitigation measures, while also stressing that vulnerability management must be tied to an organization’s specific needs rather than a mythical standard.

The approach works. 98% of Spinnaker Support customers rated our security & vulnerability protection as good or better than the original software providers.

All organizations can benefit from a more proactive security posture, but here are three signs that third-party support could make a big impact:

  1. You’re on a legacy version of the software
    Original software publishers decide which versions of their software to issue patches for, and that often does not include legacy versions. Maintaining multiple versions of software is expensive, and enterprise application providers want to incentivize customers to move to the latest version. As software versions near their end of maintenance date, vendors may start to increase support fees and warn customers about the loss of security patches to encourage upgrades. Third-party support providers have an entirely different operating model and have no business motive for incentivizing customers to upgrade. If you’re not ready to upgrade your software yet, a third-party support provider will ensure your system is protected from security risks, whatever version you’re running.
  2. Your system is heavily customized

    Original software publishers typically do not cover issues that involve custom code, the customer has to fix it themselves. Plus, if there is a concern that a patch may break a customization, the customer may choose not to implement it. This puts customers in a difficult position: you can either customize your solution to meet your precise needs knowing that you’re creating security risks, or you can forgo customizations to maintain consistent support and security protection. With third-party support you won’t have to choose. Your third-party support provider will conduct a personalized risk assessment and implement strategies to harden your system whether you’re running standard code or a heavily customized solution.

  3. Your IT resources are stretched thin

    Patches require significant manual effort to implement and test, so when resources are constrained, IT teams often focus on more strategic initiatives. As is the common refrain in challenging economic times, businesses are asking their teams to “do more with less”. For IT, this often means things like patching get moved to the back burner to make room for implementations or optimizations of technology that directly impacts the customer experience. Additionally, zero-day vulnerabilities create acute challenges when IT resources are stretched thin. In these scenarios, a rapid response is crucial to maintain security and prevent against breaches. Putting zero-day vulnerabilities on the back burner is not an option. By leveraging third-party support, IT teams can supplement their internal security processes with proactive risk mitigation to enhance their overall security posture. This is an incredibly effective way to ensure security risks are being actively combatted while allowing internal resources to focus on business-critical technology initiatives.

Spinnaker Support Delivers Proactive and Personalized Security

We believe that true security is a process, not a patch. That’s why we take a customer-focused approach to security that is designed to proactively identify risks and harden your system as part of the on-boarding process.

We focus on weaknesses, not vulnerabilities. At the beginning of our engagement, we conduct a custom risk review and implement attack surface reduction measures that improve your security posture from the start. As a result, when a vulnerability is detected and Oracle issues a patch, it is likely that your system is already protected and no additional measures are needed. In fact, the protections offered through the Spinnaker approach may be broader and more effective than the protections offered by the patch.

We also know that every customer has unique security needs depending on their software version, customizations, and data privacy requirements. With Spinnaker, you will have an assigned engineer who knows your system inside-out and delivers the appropriate security tools and strategies for your unique requirements.

Download the full guide to Maximizing Security with Third-Party Support to learn more about how Spinnaker Support enhances your security.