Today, my manager forwarded me this article about several zero-day CVEs discovered in CyberArk and HashiCorp products. After some time spent researching online, I confirmed that both brands have fixed these CVEs by releasing updated versions!!
I’m not surprised that these two big corporations acted quickly and fixed the vulnerabilities; both are well-known and reliable!
This event gave me an excuse to write this article and respond to one of the most common questions I get from my customers whenever I share news about a new release of a secrets manager:
- Do I have to update my environment?
- What changes in this release make the upgrade worthwhile?
In my mind, the answer is always the same: “Do you care about having your company’s main secrets repository protected in the best possible way?”
As I have already written on this blog, CVEs are an inevitable “feature” of every software over time. Initially, there are none, but as time goes on, CVEs accumulate: zero-day, low, medium, or high severity. This is not an opinion; it’s a fact based on how software works.
I understand that it may not be possible to follow every vendor upgrade, but please, the next time your consultant or vendor notifies you about an available update, remember the importance of that software for your company. A zero-day CVE could be critical for a secrets manager, while less important for software like GIMP.
Here are some useful tips to stay proactive if your consultant or vendor isn’t as responsive as I am:
- Set a reminder in your calendar to check for new releases and review the release notes.
- Subscribe to one or more cybersecurity news sites such as Cyber Security News, Hacking Articles, and Dark Reading.
- Check your preferred CVE database by searching the product name, for example, the NIST database.