Life Cycle of a Security Bug

bug crashes computer, Dahlgren, VA, 1947

Unlike members of the insect family, computer software bugs live forever. Software security bugs (well, flaws) are especially troubling since they demand respect from every software developer now and forever. We want to believe we can “eradicate” software flaws through reviews, testing, and vigilance. Eradication is a myth. A flaw’s spores simply go dormant to await the right conditions.

To keep things simple, software flaws usually follow one of two lifecycles: the patch cycle or the exploit cycle.

The Patch Cycle

  1. We deploy and use the software.
  2. Someone finds a flaw in it.
  3. The developer develops and publishes a patch to fix the flaw.
  4. Being careful computer users, we promptly patch our software.
  5. Someone develop a way to exploit the flaw.
  6. Cybercriminals use the exploit as an attack vector to penetrate vulnerable computers.
  7. Commentators shake their heads at the users who failed to patch.

The Exploit Cycle

  1. We deploy and use the software.
  2. Someone finds a flaw in it.
  3. Someone develops a way to exploit the flaw.
  4. Cybercriminals use the exploit as an attack vector to penetrate vulnerable computers.
  5. The developer develops and publishes a patch to fix the flaw.
  6. Being careful computer users, we patch our software.
  7. Commentators shake their heads about lax vendor quality control.

In fact, we infer these cycles piecemeal. We hear from victims, vendors, and occasionally from cybercriminals. The cybersecurity community has developed an elaborate process to identify, classify, and track vulnerabilities.

We identify and track vulnerabilities but we can’t reliably track how they are used in exploits. Security researchers have made good use of available numbers to infer a few useful results. They used these statistics:

  • Reports of vulnerabilities
  • Reports of attacks detected using those vulnerabilities

So our data is limited to known vulnerabilities.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.