FREE Training Courses — 100+ Hours of Akka and Reactive Architecture Expertise Get Started
Support
akka

Not all CVE fixes are created equal

Michael Nash CISO, Lightbend, Inc.

Software rarely operates in isolation; it almost always relies on other software. Companies typically construct their applications on platforms built by others.

Though utilizing external software platforms to build your applications has been widely adopted, it does introduce risks. Was the platform developed with security as a first principle? Does it streamline the creation of secure applications, or must you add security layers yourself? In today's business landscape, managing risk involves identifying and minimizing the impact and costs that risk presents.

While you can construct your own platform from scratch or piece one together from freely available components, this approach introduces its own set of risks and costs. You become responsible for maintaining the integration, which can burden your team.

Even if a community supports the elements you choose, relying on them entails risks, as recent events (such as the XZ Utils attack, the phpMyAdmin incident, and many others) have shown. Do you know who's behind the software powering your company's apps? Do they commit to timely fixes, guaranteed to be correct? Can the person fixing the issue verify that no performance regressions have been introduced? Tools exist to help you find vulnerabilities (Akka CVEs) in libraries you depend on, but ultimately, you are responsible. And if vulnerabilities are exploited, the costs, including reputational damage, escalate dramatically.

Addressing a vulnerability entails more than upgrading a dependency; it requires deep platform expertise to ensure the fix doesn't introduce new problems. You want to transfer this risk to a trusted supplier, one who has gone through the effort and expense to validate their practices against international standards, rather than shoulder it alone. A trusted vendor can assume a significant portion of the cost, risk, and responsibility for fixing vulnerabilities. Otherwise, the burden is all yours. Will your supplier indemnify you against IP infringement liability and other legal risks? This is what we provide with Akka.

We build Akka using auditable and verified processes, and with a verified expert team whose sole job is building the world-class foundation for your applications. Our team takes that responsibility seriously, it’s their full-time job, not a hobby.

The context, people, checks, controls, documentation, and compliance surrounding the fix all matter. A lot. Timely and professional support matters as well.

Someone always bears the risk and responsibility. If not your supplier, it's you.

It’s important to remember that not all CVE fixes are equal. Commercially-backed solutions make your costs visible, and take on part of your risk, which is usually not the case with a pure open-source solution. Make sure to consider the total cost of ownership of something you will rely on to run your business.