Tight window: A CISA spokesperson declined to comment on the Reuters report, but security experts were more forthcoming, with most believing the idea is simply an acknowledgement that modern vulnerability management is evolving.One source of anxiety was that a three-day timeline would leave little time for meaningful testing, normally a time-consuming and complex undertaking that ensures that a patch, remediation, or workaround doesn’t break any of the systems around it.”No responsible IT team is going to release patches without proper testing. Even for critical vulnerabilities, 2-3 days is an extremely tight window, especially if they involve complex systems and require wide distribution,” said William Wright of UK penetration testing company Closed Door Security.”Claude Mythos is a source code reviewer and it doesn’t actively exploit vulnerabilities in the wild. While the model is powerful and could turn up flaws faster, forcing IT teams to respond more rapidly will only lead to poorly-tested stopgaps and cause further problems down the line.”Another expert questioned whether agencies even fully understood their exposure. “Three days is the wrong question. What you’re really asking is whether agencies can find every system they own, know every dependency, and produce evidence that the patch landed. Most can’t, whether it’s day 3 or day 30,” commented Mit Patel, founder and CEO of MSP continuous verification company, Assurix.Patel continued: “CISA’s been running accelerated timelines since 2021, through KEV and BOD 22-01. The 14-day default already gets compressed for the worst CVEs. Going to three days as standard is a tighter version of something we already do. Agencies that hit 14 days reliably will probably hit three days. Agencies that miss 14 days will miss three days by the same margin.”However, Adam Arellano, field CTO at API security company Harness, said that moving to a three-day fix window was only possible if agencies had the processes and technology necessary to achieve it.”A three-day fixed remediation timeline is completely achievable,” said Arellano. “The process isn’t inherently complex, but it’s been made complex over time, especially within government environments that have been slow to adopt modern technologies. With the right systems in place, this can be a streamlined and manageable process.”To Arellano, the patching window change is inevitable. “The window between a vulnerability being discovered and exploited is shrinking to minutes and soon may be effectively instantaneous,” he said. “Being able to respond almost immediately will be critical.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4167422/cisa-mulls-new-three-day-remediation-deadline-for-critical-flaws.html
