My team is overwhelmed with the constant flow of 3-4 new CVEs for OpenSSL every month, and we're struggling to keep up with our backlog. We're spending more time dealing with potential security issues rather than actually developing new features. Many of these vulnerabilities don't even affect how we use OpenSSL, yet we still have to justify why we're not updating immediately. Plus, we have containers where OpenSSL is included, even if our apps don't actually use it. Has anyone found a way to tackle this ongoing challenge without compromising our velocity or burning out the security team?
8 Answers
Why not just update OpenSSL if it's stable? Unless your applications are super fragile or your patching process is overly complicated, you should be able to do it seamlessly and handle issues through testing. Streamlining the update process could really help.
Your team feeling burnt out over patching is a sign that something's off with your process. Automation is key! Start by automating the OpenSSL updates. You could send monthly reports to your security team saying it’s been patched. Keeping it simple could save you from diving down the rabbit hole.
Switch to distroless or minimal base images instead of using bloated ones that have OpenSSL. There are tools like Minimus that can help you work with minimal images more efficiently. Most of these come with software bills of materials too, which highlight what's actually a threat versus what’s just theoretical.
Just be glad you have work and a paycheck! It's all part of the job.
Consider implementing automatic patching. It can save you a ton of time and reduce the manual workload.
I just make sure to update all our tomcat servers every month. It helps keep things secure without adding too much hassle.
Automate as much as possible with testing and approvals. Then just focus on the patches that remain after your automated patch cycle is complete.
If you don’t use OpenSSL, can you shut down unnecessary ports and services? Or turn off protocols that aren’t in use? The less you have to patch, the simpler things become. Also, consider tools that assist with patching or tracking the time spent on it to evaluate if you're stretched too thin.
Some OEMs and MSPs are quite strict about supporting only certain versions. That's why I've set up a reverse proxy on a system that gets automatically patched. If OpenSSL is only for encryption and not directly affecting anything, they can't really refuse support based on version.