Monday, December 22, 2008

Security vulnerability regressions

Many security vulnerabilities do not have exploit code, so they cannot be added to a testsuite to ensure that they do not regress. One scenario is a security patch gets applied to the release branch for a quick patch release, but fails to be applied, or is misapplied, to the trunk.

A painstaking project would be to go back through every published vulnerability of a piece of software to see if it has regressed.

No comments :