undefined | Better HN

0 pointsawesome_dude1mo ago0 comments

I think, to add to the comment, the whole raison d'être of zero days is that an (exploitable) bug has been found that the producer of the software is not aware of/has not produced a patch for.

It's fine to say "Look this is bad, don't do" and "A patch was issued for this, you are responsible" but when some set of circumstances arises that has not been thought about before that cause a problem, then there's nothing that could have been done to stop it.

Note that the entire QA industry is explicitly geared to try and look at software being produced in a way that nobody else has thought to, in order to find if that software still behaves "correctly", and <some colour of hat> hackers are an extension of that - people looking at software in a way that developers and QA did not think of.. etc

0 comments

Nextgrid1mo ago

Defense in depth and multiple layers of security should ideally protect against zero-days; see the Swiss cheese model of accidents for an example; most aviation accidents are rarely caused by a single factor but an improbable combination of factors.

This is why I also think “zero trust” and internet-accessible SaaS has done so much damage to the industry. Before, if your version control server has a vuln, the attackers still need to get on your VPN to even be able to scan for that vuln. Now, your version control server is on the internet and/or is an SaaS and all it takes is an exploit or a set of phished credentials for anyone anywhere in the world to get in.

awesome_dudeOP1mo ago

> Defense in depth and multiple layers of security should ideally protect against zero-days

Absolutely agree, and that's why instant security in a can (just add water!) cannot work (as you have been saying)

j / k navigate · click thread line to collapse