0

I refer to the Log4j logging framework vulnerability - Source: https://www.wired.com/story/log4j-flaw-hacking-internet/

Since software vulnerabilities is an inevitable part of life, and speed is of an essence when it comes to patching vulnerabilities, other than adopting a reactive posture i.e., patching (patch availability is dependent on the vendor), how can end users proactively manage these risks?

Understand that there is Minimum Viable Secure Product, or simply MVSP, a concise, checks-based security baseline that is available here - https://mvsp.dev/ However, this is still largely limited to controls.

If one has very secure requirements, does the use of code fuzzing tools for all 3rd party software components/dependencies prior to introducing it into one's environment help in proactively reducing these zero-day vulnerabilities?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Nathan Aw
  • 1
  • 7
  • 12
  • 1
    I think the question is not a good fit for this site because it will lead to primarily opinion based answers - which is explicitly out of focus here. Also as usual more security is not free, it comes with costs in term of money, usability loss, efficiency loss ... And what is acceptable to somebody depends a lot on the personal threats and risks. The general answer is though to prepare for software not being flawless, i.e. have a layered defense which does not break when a single point is insecure, limit what potentially vulnerable software could do, be able to recover after a compromise. – Steffen Ullrich Dec 12 '21 at 10:34
  • 1
    Fuzzing is hardly a cure-all. Fuzzling is merely one form of test. If your question is simply "can testing help identify vulnerabilities?" then the answer is "of course". – schroeder Dec 12 '21 at 10:56
  • Isn't this a copy of your other question? https://security.stackexchange.com/questions/243575/how-does-one-defend-against-software-supply-chain-attacks – schroeder Dec 12 '21 at 11:38

0 Answers0