A couple of days ago Cisco announced a vulnerability in some of their NetFlow appliances. The vulnerability itself was not especially grave: an error in processing certain SCTP packets could be abused to remotely hang or reboot the appliance. The SCTP protocol is not widely used, and that is, most likely, one of the reasons why such a vulnerability stayed undetected for a long time.
Anyhow, the vulnerability cannot be classified as severe since it does not involve remote access or data disclosure, but it can only be abused for Denial of Service (in this case, affecting network monitoring infrastructure). Furthermore, it has already been patched — that is, a software update has been released by the vendor.
We are going to use this event, though, as an opportunity to highlight an advantage inherent in SaaS solutions over hardware or virtualized appliances. This applies, of course, to network visibility, but can be generalized to other systems.
You can think of vulnerabilities as small defects in the design of a product which can be abused by an attacker to cause an unwanted behavior (be it to hang the software thus causing a denial of service, to obtain unauthorised remote access, or to increase access beyond the intended authority).
Every piece of software will inevitably incorporate errors and, therefore, vulnerabilities. Even if engineers in a company could write perfect, defect-free software (which is never the case!) the software they produce will build on libraries (software components that implement commonly used functions, and which engineers can build upon when writing new code), and will run on an operating system which contains millions of lines of code.
Even if the engineers of a vendor could revise all that underlying code (which they could theoretically do, for example, if all components their software runs on were open source), products end up running on hardware that can also enable attack vectors (e.g., rowhammer) due to issues in their design or manufacturing processes.
Long story short, no product is defect-free. As a consequence, every company must treat any component they deploy and manage internally, especially Internet-facing products, as a potential source of security headaches. Therefore, they must have teams that closely track security advisories and in reaction install upgrades with varying degrees of urgency.
Estimating the Total Cost of Ownership (TCO) of a product is quite hard. For example, can you quantify the cost of retaining the in-house expertise to keep the product running? How much is it going to cost to replace the engineer who set it up if he leaves your team?
More in connection with this post: how much will it cost to have the engineering team keep tabs on any security announcements? How much will it cost if the team misses an upgrade and an attacker finds out?
In a SaaS solution, the cost is clear from the get-go, including these costs stemming from security maintenance actions which are handled by the vendor.