A few days ago I was having a conversation with a customer I’ve known for a number of years when the subject of recent big name vulnerabilities came up. Shellshock, Heartbleed, Venom and, most recently, the Diffie-Hellman 512-Bit Export Key issue. We were discussing the challenge these items present to both vendors and customers because of the numerous hardware and software elements contained versions of the vulnerable software. As our conversation progressed, a theme began to emerge — the problem for customers primarily rests in the fact that these portions of the security stack are often acting as compensating controls for some other issue that can’t be fixed yet – or fixed at all. Too often these were compensating for a lack of budget, time or capability inherited from the original technology causing the problem.