Let’s say I’m using an open source CMS and they put out a security update that only affects the backend. They say that it will fix a vunerability where a back-end user can do XSS scripting.
Well, if I am the only person who can log into the backend. And I don’t have any other users set up and it is not a site where user can create logins. Then do I really need to perform this security update to my code? Since I know I will not be doing XSS scripting to my own code. And if a hacker is able to hack into the back end, they can ruin my site with or without this vunerability anyways.
Do you really need to fix backend vunerabilities if you are the only backend user?
I’ve done some follow-up of suspicious log file entries before. Trust me, it won’t be long after a vulnerability gets announced before the script kiddies will be scanning sites attempting to exploit it.
I concur, why on earth would you not bother to keep things up-to-date if there’s no extra cost involved? Like the saying goes, you’re only as strong as your weakest point, why take the chance of something happening when it can be avoided with a bit of maintenance.
Long answer: it depends on your contract, support level, warranties etc. It also depends on wether or not you have informed/documented, that the particular component is this or that opensource product. If not, then client presumes, that you are the maintainer of all created code and that it is your responsibility to at least inform them about these vulnerabilities.
Anyhow, I would at least inform them, so that I make impression of caring and responsible partner, and… (if waranty does not apply here) present them estimate budget that it would cost them if I were to fix it.
Returning to the original problem - yes it costs to fix things. That is why usually you make an assessment of how severely particular vulnerability affects your system. You then apply non critical patches say monthly, and critical patches weekly or asap.
Suppose, you are logged in to your site. Suppose, I trick you to click something… Are you really that sure that I can not exploit that vulnerability? There must be some rather strong counter argument that compells you not to install security patch.
Any update installation will require a finite amount of work – especially if there were custom code changes in the core files and then I have to perform code merges. I’m just trying to minimize work.
As a follow-up second question …
If I had initially built a open-source CMS site for a client (with the client’s knowledge that it is an open-source CMS). And then a year later, the CMS has a security update. Am I responsible for informing the client of the security update? Or is my job and responsibility done at the time when the site went live.
