The vulnerability life cycle has three phases: the research/discovery phase -- in which both malicious and nonmalicious security researchers seek new holes in products; the disclosure phase -- in which the discoverer of the new vulnerability tells others about it; and . . .
The vulnerability life cycle has three phases: the research/discovery phase -- in which both malicious and nonmalicious security researchers seek new holes in products; the disclosure phase -- in which the discoverer of the new vulnerability tells others about it; and the exploitation phase -- in which the specifics of bug information are incorporated into a program designed to take advantage of the vulnerability.

Trace Unix exploit code in the late 1980s and early 1990s and you'll find that vulnerability information and exploit code commonly circulated in the underground long before they made their way to FIRST, CERT or Bugtraq circles. Attackers used this knowledge as trump cards: Even if your Unix machine patches were up to date, you obviously had no patch for unknown holes. These vulnerabilities still exist today, leaving many systems in a "pants-down" state. This phenomena is one of the primary reasons defense-in-depth strategies are so important. We're not battling just the known; we're battling the unknown too.

The link for this article located at NWC is no longer available.