Zero-day de-mystified » Computer internet security  
Computer and internet security news
computer and networking security portal
 
|
|
|
News
|
Advertise
|
|
Products
|
Contact

Zero-day de-mystified



Sunday, September 24, 2006, 12:49
This news item was posted in Computer security Systems category and has 0 Comments so far.

Zero-day is a viral term. Zero-day vulnerability is an unknown vulnerability i.e. vulnerability that vendors and customers are not aware of on the day it is made public.

Let us play two scenarios. 1. As a software vendor what zero-day means to you. 2. As a software customer what zero day means to you.

1. As a vendor you can't always worry about unknown vulnerabilities, but what you can do is operate with due care. Penetration test your software before you ship it. You must have a clear policy of handling vulnerability around two areas:  Incident Management - How do you handle the vulnerability? starting from identification to remediation. Customer Communication - How do you notify customers about the vulnerability? if you find a vulnerability notify your customers and make a patch available in a reasonable amount of time - never keep the customers in dark.

2. As a customer you can't worry about the vulnerabilities that you don't even know, but what you can do is operate with due diligence. Before you purchase a software from a vendor  evaluate their security. When you buy a software include a clause about vulnerability disclosure. Pro-actively  track your vendor vulnerability bulletin. You need to have procedures for patch management - automate the patch management if it makes sense. Ensure that you have a good security posture for the company as a whole which means vulnerability of one software component does not pose threat to the whole enterprise.

Zero-day is about the unknown - you can't loose sleep over it. It is yet another vulnerability as long as you are prepared!

(I would like to thank Mike Fratto, mfratto@secureenterprisemag.com for providing me food for thought on zero-day)

Related posts:

  1. Evaluating software vendor for security
  2. Patch Tuesday is back
  3. Vulnerability management
  4. Another round of MS Patch Please?!
  5. Product Vendor's sloppiness vs. Hacker's intelligence
  6. Software Security Assurance: A Framework for Software Vulnerability Management and Audit

Related posts brought to you by Yet Another Related Posts Plugin.





Tagged with:

You can leave a response, or trackback from your own site.

Leave a Reply

ZERT patch
Speaking of Security Podcast #32




:::: Recent entries


 
Join My Community at MyBloglog!



My BlogCatalog BlogRank

Computers Blogs - Blog Top Sites