“Most attacks exploit known vulnerabilities — where a patch has often been available for months, if not years.”
Reusable code means reusable exploits
Most of the world’s software is now assembled from reusable open source components, yet open source continues to be a major source of risk. In fact, more than 8,000 new vulnerabilities were disclosed in open source components last year, according to IBM.
Vulnerabilities are extensively described in public forums, vulnerability databases, and even YouTube videos — providing cyberattackers with a clear roadmap to attack critical systems and devices.
Public vulnerabilities also provide a large and global attack surface for cyberattackers, making them a juicier target than finding zero-days in custom applications.
CLEAN CODE REQUIRES CONSTANT VIGILANCE
Keeping your code free of publicly-disclosed vulnerabilities is a major challenge.
Vulnerability information is community-maintained and often inaccurate or incomplete. Many teams don’t track which components they’re using, let alone their versions. And components are often haphazardly patched without updating version numbers — making it even more difficult to know which vulnerabilities apply specifically to your product.
Worst of all, not all vulnerabilities are reported to a central clearinghouse. This means you're constantly monitoring community databases, mailing lists and other channels to make sure you don't miss any new disclosures.
“The recent explosion of Internet-enabled devices ... has led to a huge increase in the number of CVE requests we have been receiving on a daily basis”
MITRE Common Vulnerabilities & Exposures (CVE), April 2016