Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
In the beginning, software vendors thought that they could handle security vulnerabilities as they handle software bugs using their regular support process. Unfortunately, it's not so easy. Software security vulnerabilities are not like other software defects. Vulnerabilities have a timeline and they are not simply triggered by random user events.
Once attackers know how to exploit a vulnerability, they will actively attack vulnerable computers until it is patched. This “window of vulnerability” has gotten smaller with auto-update and patch-management solutions, but attackers have also gotten quicker at delivering new exploits with toolkits and bot networks. Having a window of vulnerability at all, however, is the problem.
The software industry's manufacturing process is very different from the one used by other high-tech industries such as semiconductors or aircraft engines, which strive for six sigma or 3.4 defects per one million opportunities. The profitability of the software industry had benefitted in the past from its ability to quickly release imperfect software and to fix the biggest problems later in the field. Now everything has changed, with the knowledge that motivated attackers can find and exploit software security vulnerabilities before they are patched. “Ship, pray and patch,” as a development methodology, is dead.
Login above or Register now and get unlimited access.
Already subscribed but have forgotten your login? Recover your password your here.