Most Application Vulnerabilities are "Forever Day" Vulnerabilities

April 16, 2012 By Tim OBrien

1 minute read time

Zero Day threats are the kinds of things that keep security people up at night. The idea behind a zero day threat is that no one knows about a particular vulnerability until it happens.

This Ars Technica article captures a new term: "Forever Day". Software and hardware developers that identify vulnerabilities but fail to fix them. Maybe a product is reaching end-of-life, or maybe no one is paying attention. Here's a quote from the article that resonates with some of what we've been saying about application security:

"They're just not going to get patched," said Terry McCorkle, an independent security researcher who specializes in ICS devices used to control equipment on factory floors, dams, and in other industrial settings. "The big question is how many of their clients are actually set up to take those advisories and take action upon them?"

We mentioned this last week: unless you pay attention to security, you are essentially living with "Forever Day" exploits in production. The alternative would be to start paying attention, Download Nexus Professional 2.0, and keep track of known vulnerabilities.

Note: This post references our Security Feed. We maintain a feed of security stories relevant to developers which is isolated from our main blog feed. If you are interested in getting the full feed, read it here.

Tags: Sonatype Says, security-summary

Written by Tim OBrien

Tim is a Software Architect with experience in all aspects of software development from project inception to developing scaleable production architectures for large-scale systems during critical, high-risk events such as Black Friday. He has helped many organizations ranging from small startups to Fortune 100 companies take a more strategic approach to adopting and evaluating technology and managing the risks associated with change.