New research from Maddie Stone, a security researcher at Google. Its far to easy for hackers to use those zero-day exploits, because tech companies aren’t doing a good job of permanently shutting down flaws and loopholes.
Quoting Stone: “We’re not requiring attackers to come up with all new bug classes, develop brand new exploitation, look at code that has never been researched before. We’re allowing the reuse of lots of different vulnerabilities that we previously knew about.”
Why? Most security teams have limited time and resources, and if incentives are flawed, they only work on the specific issue, not the larger problems at the root of the issue.
For hackers, “it’s not hard,” Stone said. “Once you understand a single one of those bugs, you could then just change a few lines and continue to have working zero-days.”
Why do we care?
This is a data point in the zero trust story – you should not be trusting your software vendors. Period.
I’m including a link to a piece in Redmond Channel Partner about questions to ask your vendors.
- Do they have someone dedicated to security?
- Is there a clear process for reporting bugs in their code?
- Is there a FAQ (maybe under NDA) about the security operations center?
- Do they have a recent pentest.
What’s not included – you have to do this audit on them ongoing. It’s not one and done.
Source: MIT Technology Review
Source: Redmond Channel Partner