Talk to any cybersecurity expert or IT security manager, and they’ll tell you they’re sick of alerts and issues. For a while now, the industry has slowly been realizing that there’s a better way to improve cybersecurity and resolve security issues in IT without taking on an issue-by-issue ‘whack-a-mole’ approach.
In fact, I recently read an interesting article by the co-founder of Crash Override, Mark Curphey, regarding exactly this problem in cybersecurity. The piece highlights how our industry has long been stuck in an endless cycle of reactive threat-by-threat game of ‘whack-a-mole’ that spends all its time on emergencies and nearly no time on the systemic issues that create them – resulting in people who are “drowning in issues and alert fatigue”.
The main problem with the issue-by-issue or CVE-by-CVE approach is that it’s inefficient, repetitive, and risky. After all, not all vulnerabilities are equal: some are severe and need instant action; others are minor but take major effort to patch.
And that’s without considering how tricky managing individual CVEs can be. Take for example CVE-2025-32462: this vulnerability has a CVSS 3 Severity Score and MITRE score of just 2.8 (low); but when you look at other assessments, like the NIST NVD, it has a severity score of 8.8 (High). Our own security team rated this particular CVE as Ubuntu Priority High.
So, why the difference? Well, it’s due to how hard it can be to assess and triage high-priority items that are sent to you for “immediate prioritization”… only for you to discover the vulnerability has been incorrectly classified, or cannot be fixed by the elements that it points to, or that the severe vulnerability is found in packages that went End of Life several years ago. You can start to see why CVE ratings are sometimes a bit of a ‘chocolate teapot’, to quote a colleague of mine.
Thankfully, there are better approaches to cybersecurity than whack-a-mole. In his piece, Mark recommends moving from targeting the ‘moles’ (security issues that pop up unexpectedly) to addressing the ‘insects’ (the systemic causes which attract the ‘moles’). This is what he calls “security insecticide”: building a proactive landscape through better security fundamentals, common libraries, and foundational controls – essentially, applying “insecticide” to eliminate underlying ‘grubs’ which brought the ‘moles’ to your ‘garden’ in the first place.
The logic is simple: tackle the grubs, and you tackle the moles.
We’ve seen the formalization of this approach lead to some fantastic results. For example, Microsoft’s “Patch Tuesday” elevated the security landscape, transforming end-user patching chaos into a strategic and consistent upstream operation. Now users can draw version updates in a controlled, effective, and timely manner, instead of issuing dozens of patches a week in a program that just interrupts work and makes users unhappy. I mean, imaging needing to immediately apply patches every time something was fixed on every bit of software you use?
Even in container security, teams are moving away from constantly patching individual workloads to instead reducing the patching burden of their builds. Their new approach involves using trusted “gold images” from managed container registries that shift control upstream for greater consistency and reduced patching burdens. And in our own work at Canonical and on Ubuntu, we’ve been building a solid foundation that both addresses CVEs and creates a more secure environment and architecture that reduces the impact or prevalence of CVEs in the first place. For example, Ubuntu Pro entered general availability in 2023, and now extends its security maintenance across our product portfolio – alongside the introduction of things like AppArmor, better authentication through authd, and more, which all make the stack more secure.
However, there’s just one problem with the cyber insecticide analogy. Mark correctly identifies the limitations of Application Security Posture Management as not going far enough – but I’d say this criticism applies to the ‘cyber insecticide’ model as well. We need something more. Let me explain.
Let’s continue this analogy of moles and insects and think about the average garden: it’s made up of many kinds of plants, diverse soil types, and lots of different critters. Dealing with this complex environment is no simple task, even with ‘root-level, systemic methods’.
For example, you wouldn’t use the same spray for rootworm as you would for aphids – or maybe insecticide is not an option (if you don’t want to hurt bees or butterflies that pollinate your garden!) Also, your plants aren’t threatened by moles or insects only: they’re also at risk from birds, invasive plants, or voles (which eat roots, not bugs). There’s also the end product to consider: if your garden or produce is soaked in so much insecticide that things can’t grow, what’s the point?
Let’s break down the many issues with the cyber insecticide approach.
Security efforts can affect the entire environment, causing friction and unwanted user/developer behaviour.
Efforts that are too broad can be too diluted to catch specific threats that require individual action.
Focusing only on foundational security risks missing threats that aren’t linked to IT (such as social engineering, bad organizational processes, etc).
Think of things like fertilizer, irrigation, and soil health – simply applying insecticide does nothing to fix those issues. In the same way in cybersecurity, better security isn’t just about focusing on threats or improving the robustness of your codebase and systems; it is also about facilitating faster development, new tool experimentation, and innovative practices.
High friction in security requirements can create inflexible products and stifle innovation.
Critical and high-severity vulnerabilities will always pop up and need immediate fixes – especially as new and entirely unpredictable attack methods are discovered.
Let’s go back to our primary analogy for a second, to talk about how professional farmers approach problems in their field (literally).
Farmers know that a great garden is more than just insect management. That’s why they look holistically at agriculture across multiple factors – such as soil composition, micronutrients, environmental factors, and so on – to have healthier gardens that grow more crops. This complex approach is called agronomy, and I feel that it’s a more applicable analogy for cybersecurity.
This is because agronomy also understands that a field isn’t a monolith, but rather an complex ecosystem of pH levels, soil types, nutrient content, and water content. It uses a complex array of techniques and tools (for example, GPS, land mapping, pH testing, and soil water content analysis) to significantly increase yields while reducing inputs.
For example, foliar Nitrogen-Phosphorus-Potassium (NPK) fertilizer application is good, but attending to the micronutrient profile of the soil and demands of the plants is better: in controlled tests, the application of Zinc, Boron, Magnesium, and Sulphur (Zn-B-Mg-S) micronutrients increased yields between 0.5 to 1.8 tonnes per hectare, compared to simple NPK-only regiments.
Agronomy doesn’t just improve yields, or save farmers money, or prevent some crops suffering from fertilizer burn or overwatering – it also improves the health and sustainability of the land itself, reducing the impact of fertilizer, insecticide, herbicide, and so on, on the environment.
‘Cyber agronomy’ copies its agricultural cousin by being a smarter, risk-focused, holistic, and systematic approach to security. It’s about thinking vertically and horizontally, understanding the intricate dependencies within your digital ecosystem, to look beyond merely reducing the impact of CVEs and create an operational environment that truly supports innovative, experimental, and sustainable practices.
It’s certainly more work, and it requires a much broader scope. But the outcome is absolutely worth it: a secure environment that fosters growth and innovation, rather than one that’s borderline sterile from overapplication of security ‘chemicals’. It’s about achieving a security posture that’s not just compliant, but truly resilient and enabling.
Doubling down on fundamentals is still critical. None of this blog is intended to diminish the importance of ‘insecticide’ as a system deterrent to attacks or other cyber incidents.
Vulnerabilities are like death and taxes. There will be times when the most effective course of action is just whacking moles for a day.
Farmers don’t have infinite money or time, and cybersecurity is the same. Having zero vulnerabilities is impossible, so your work is all about balancing risks against resources. A solid risk assessment process will help you define what sorts of hammers, insecticides, and fertilizer you need for maximum yield – without stretching everything to breaking point.
You don’t want to deal with 1000 moles that each need a special hammer. Similarly, you don’t want dozens of different operational or development environments where special tools or approaches are needed to fix simple problems. Therefore, your focus should be on reducing operational complexity by using repeatable base builds (such as charms), set common standards for hardware, software, and services, and source all packages from a single, verified vendor (ideally through your OS). Remember, every unique component makes your systems more complex and time-consuming to maintain.
Security is everyone’s responsibility, and AppSec isn’t just a bunch of security configurations. Any organization that’s serious about cybersecurity and compliance should have robust, comprehensive, company-wide training that makes cybersecurity a part of everyone’s job. At Canonical, we’ve created a comprehensive white paper to help you handle open source vulnerability management and improve your security posture.
At its heart, a CVE-by-CVE game of whack-a-mole is unsustainable. As the original article demonstrates, traditional issue-by-issue approaches are just not healthy for security teams with complex systems to manage long term and around the clock – and ‘cyber insecticide’ is a rallying call to a better way that looks at treating causes, rather than symptoms. However, I feel that ‘cyber agronomy’ could be the new gold standard: a new, complex, holistic, and scientific approach that thinks beyond both insecticide and whack-a-mole to deeply improve cybersecurity in every facet of our work (while still understanding that, sometimes, you still need to just spend a day whacking moles).
The purpose of this article is to share the technical realities of security patching for…
The Ruby community experienced significant turbulence in September 2025 when Ruby Central forcibly took control…
Welcome to the Ubuntu Weekly Newsletter, Issue 910 for the week of September 14 –…
Ubuntu 25.10, code-name Questing Quokka, is now available for Beta testing! The developer team announced…
Why cloud gaming? Cloud gaming is changing the way we play. Instead of buying expensive…
Dolphin, the free open-source GameCube and Wii game emulator, released new 2509 version today after…