There are different types of security vulnerabilities in every product, and I stress, every product.
- Those that no one discovered yet
- Those that have been discovered quietly, the world does not know about and
- no one has exploited yet, or
- someone is quietly exploiting them as we speak
- Those that the vendor knows about and has not yet made the patch available (for any number of reasons)
- Those for which the patch exists, but the users have not applied it (for any number of reasons)
My point is there is no such thing as defect/bug/vulnerability free software.
It’s a vendor's responsibility to find the best possible balance between the cost of the solution and the value it provides to the customers, minus the risk of harm it can cause.
A lot has been written about Zero-Defect Software, and while the intent is certainly nobel, organizations that solely focus on this, are missing the point.
- This blog about Zero-Defect Software concept written through the eyes of QA lead (Nyall Lynch), applies equally well to dealing with security defects, commonly referred to as vulnerabilities.
The key question Product Managers need to answer: "What level of risk, given the nature of our product and its application, is acceptable" for us as a vendor. In other words: "Is our build secure enough to ship?"
As well, responsible vendor will ensure the product releases already in customer hands remain secure enough for continued use until these releases reach the end of communicated maintenance window.
In Part 2 I will share some practices that can help large scale enterprise software vendors to continue delivering value in the face of growing uncertainty about product security risks.
