So one thing to ask yourself is whether your organization can handle the discovery (or public release) of an entirely new bug class. For example, when Format Strings became known, people adjusted their source code analysis tools, software development lifecycles including their COMPILERS, inventory systems, and entire understanding of classes of vulnerabilities. Not to mention all the offensive teams that need to jump on this sort of thing.
We talk often about how private entities know more bug classes than you do. But few people have any level of preparation for when the next bug in libc comes out.
No comments:
Post a Comment