Most Application Vulnerabilities are “Forever Day” Vulnerabilities


April 16, 2012 By Tim O'Brien

Zero Day threats are the kinds of things that keep security people up at night. The idea behind a zero day threat is that no one knows about a particular vulnerability until it happens.

This Ars Technica article captures a new term: “Forever Day”. Software and hardware developers that identify vulnerabilities but fail to fix them. Maybe a product is reaching end-of-life, or maybe no one is paying attention. Here’s a quote from the article that resonates with some of what we’ve been saying about application security:

“They’re just not going to get patched,” said Terry McCorkle, an independent security researcher who specializes in ICS devices used to control equipment on factory floors, dams, and in other industrial settings. “The big question is how many of their clients are actually set up to take those advisories and take action upon them?”

We mentioned this last week: unless you pay attention to security, you are essentially living with “Forever Day” exploits in production. The alternative would be to start paying attention, Download Nexus Professional 2.0, and keep track of known vulnerabilities.

Note: This post references our Security Feed. We maintain a feed of security stories relevant to developers which is isolated from our main blog feed. If you are interested in getting the full feed, read it here.