One Identity Offers Free Security Risk Assessment to SolarWinds Customers and Free Safeguard for Proactive Privilege Defense

Comments: 2 zero-day vulnerabilities reported by Apple: Hackers can compromise fully patched devices – Synopsys

Comments by: Jonathan Knudsen, Senior Security Strategist, at Synopsys Software Integrity Group

Recent zero-day vulnerabilities in Apple’s iOS are a stark reminder of the complexity of software security. 

First, software is made of many smaller pieces, which are often open source components. In the case of iOS, the vulnerable component was WebKit. Most software products have hundreds, sometimes thousands, of open source components. The security of the whole product is only as good as the security of the components, so it is critically important to understand which components have been used and keep them up to date as vulnerabilities bubble to the surface. 

Second, handling arbitrary input is always a challenge. While developer training and awareness can help, the very best defence against unexpected and badly formed input is fuzzing during product development. Fuzzing is an automated testing tool that delivers thousands or millions of test cases to a piece of software or a software components. When fuzzing causes a failure, the test case can be reproduced so that developers can fix the vulnerability. Incorporated as part of a secure development life cycle, fuzzing helps teams squash zero-day vulnerabilities before software is distributed to customers. 

This site uses Akismet to reduce spam. Learn how your comment data is processed.