security metaphysics: when is a vuln a vuln

Reading articles like this one from Krebs regarding a firm to release a slew of previously undisclosed vulnerabilities, stokes a few latent thoughts of mine which I’ve probably expressed quietly on Twitter (or even here and I don’t remember it).

First, it is naive to think the only vulnerabilities that exist are those that are found and popularly disclosed.* There are people who find and sit on their vulns, and I’m not just referring to black hats or gov’t espionage/cyberwarfare players who want to keep their attacks as secret as possible (or their condoned backdoors [coughskypecough]). Even white hat hackers who find a vuln and even responsibly report it may be sitting on a very important finding. Maybe they get fixed, maybe not. Hopefully it does eventually get disclosed. Who knows how many vulns a group like iDefense is sitting on!

Second, any vulnerability found and/or disclosed today, has existed since it was born either in the current version of a product, or when the underlying code was first written. This includes vulns that aren’t even found yet. Tomorrow’s Windows root is a Windows root that may have existed for 8 years. Kind of sobering, that thought.

Third, this is why checklist-styles of vulnerability management are usually backwards-looking; they look for things that are known. Some things like, “turn off service X when not in use,” is a little different, but auditing for patches certainly is backwards-looking. I’m not saying there is no value in audits like that, but they should not be confused with the ability to say a server is secure. It just means we are patched against known issues and taken some steps to mitigate future risk…

I’d chalk the first two up in a list of “security laws” that help define an approach to digital security, right up next to other “laws” like, “You will be breached.” A fundamental baseline of belief, mind you…

* Tangential discussion can break out on this topic by talking about Apple fanboys, or even the fact that Apple positions its Mac product line (OS and devices) as premium products (i.e. they don’t have to price-match, among other characteristics). Is the Mac target demographic the type of demographic that wants to patch every month? Or even admit their product has a flaw?