Dissecting the lifecycle of a flawed software

• Software flaws once discovered enter one of two lifecycles, namely ‘The Patch Cycle’ and ‘The Exploit Cycle’.
• A security bug life cycle traces the status of a bug from the time it is first discovered till the time it is eliminated by developers.

The continuous revelation of software bugs that can be exploited to gain unauthorized access or privileges on a computer system poses a serious threat to organizations across the world. Unlike the bugs of the insect family, software security bugs are especially troubling if they are not patched or corrected with utmost caution.

While some software flaws are addressed through reviews, testing, and vigilance, there are a few that simply remain dormant until the right condition comes.

Usually, software flaws once discovered enter one of two lifecycles, namely ‘The Patch Cycle’ and ‘The Exploit Cycle’.

The Patch Cycle

• The software is deployed and in use.
• Someone finds a flaw in it.
• The developer develops and publishes a patch to fix the flaw.
• The vulnerable software is patched using the released security patch.
• Meanwhile, someone finds a way to exploit the flaw.
• Cybercriminals use the exploit as an attack vector to penetrate vulnerable computers.
• Users are blamed for failing to patch the faulty software on time.

The Exploit Cycle

• The software is deployed and in use.
• Someone finds a flaw in it.
• Someone develops a way to exploit the flaw.
• Cybercriminals take advantage of the exploit method to infect vulnerable computers.
• Later, developers create and publish a patch to address the flaw.
• Then the vulnerable software is patched.
• The issue arises due to insufficient quality control from vendors.

Bottom line

A security bug life cycle traces the status of a bug from the time it is first discovered till the time it is eliminated by developers. During this time, it has to be ensured by the testing team that there should be no chance of the bug being reproduced again.