Zero-day de-mystified

Zero-day is a viral term. Zero-day vulnerability is an unknown vulnerability i.e. vulnerability that vendors and customers are not aware of on the day it is made public.

Let us play two scenarios. 1. As a software vendor what zero-day means to you. 2. As a software customer what zero day means to you.

1. As a vendor you can't always worry about unknown vulnerabilities, but what you can do is operate with due care. Penetration test your software before you ship it. You must have a clear policy of handling vulnerability around two areas:  Incident Management - How do you handle the vulnerability? starting from identification to remediation. Customer Communication - How do you notify customers about the vulnerability? if you find a vulnerability notify your customers and make a patch available in a reasonable amount of time - never keep the customers in dark.

2. As a customer you can't worry about the vulnerabilities that you don't even know, but what you can do is operate with due diligence. Before you purchase a software from a vendor  evaluate their security. When you buy a software include a clause about vulnerability disclosure. Pro-actively  track your vendor vulnerability bulletin. You need to have procedures for patch management - automate the patch management if it makes sense. Ensure that you have a good security posture for the company as a whole which means vulnerability of one software component does not pose threat to the whole enterprise.

Zero-day is about the unknown - you can't loose sleep over it. It is yet another vulnerability as long as you are prepared!

(I would like to thank Mike Fratto, mfratto@secureenterprisemag.com for providing me food for thought on zero-day)

Related posts

• Zune receives a scathing review from the Chicago Sun-Times (0)
• ZUI and the Skype PKI (0)
• ZIP then, RAR now. What’s next? (0)
• ZERT patch (0)
• Zenoss: Bringing open source to enterprise management (0)