We’ve all been there. You’re dependent on some common third-party hardware or software, and someone finds a nasty vuln. “Hello!”, you say to the vendor. “Please fix your stuff.” “It’s not so simple,” they reply. “Why don’t you just Turn It Off?” You throw your hands up in the air and scream, “Hasa Diga Eebowai!” “It’s ok,” they tell you. “I Am Here For You.” Now you’re getting outraged, and you’re certain they’re just Making Things Up Again, but like an All-American Prophet, they have produced a patch. “I Believe that this will resolve your problem,” they say. You’re pretty sure this is a Spooky Mormon Hell Dream, but you decide to Man Up and apply the update, for Tomorrow is a Latter Day. The crisis is averted, albeit at much personal effort, and you both have walked Two By Two through this challenge, right to the legendary (and possibly mythical) Sal Tlay Ka Siti.
Alright, fine! I’m pandering and I can’t finish this entirely in song titles, but this is just as relatable of a story. Someone finds a vulnerability, the vendor fixes it, they issue a patch, you apply it. That’s the end, right? How hard could it be? This is a story from the other side of the keyboard – a “day in the life of a product security incident response team” (PSIRT) member, if you will. After over a decade building vulnerability management programs, I shifted into product security, and now I will spill all our secrets of all the things I definitely did not think about that happen behind the scenes before you get that nice and tidy CVE notification.