Even perfectly written code entails risk
Let’s pretend that every piece of software that your organization ever writes from here on out is completely perfect. All of your developers are attentive and well trained. Your developers will never write code with a logic error, SQL injection, or cross-site scripting vulnerability. (Don’t worry if you don’t know what these vulnerabilities are yet.)
Aaah. Safe, cozy, and warm. It feels good to know that we’re completely secure, doesn’t it?
Even if all the code that you write is perfect, you’re still at risk. You’re dependent on lots of software written by third parties. We don’t know what vulnerabilities exist in third-party software, when these vulnerabilities will become public, or when patches will become available.
Patching is time-critical
What’s worse, this state of ignorance is time-critical. Once a vulnerability is made public, security researchers and criminals alike start writing tools to scan for vulnerable computers.
Scanning tools allow attackers to find your vulnerable public systems even if they’d never had any reason to attack you before. The internet makes every public-facing computer equally close. Even if the technical details of a vulnerability are not made public and only a patch is made available, motivated attackers can look at what’s changed to try to find likely attack vectors.
As defenders, it’s important that we learn to use these tools to help us find our own vulnerable systems before criminals do.