Author: Royd Lüdtke, Director Director Static Code Analysis Tools (Verifysoft Technology)
In papers about security vulnerabilities in software applications, the terms 0-day and n-day vulnerabilities are often used. What do they mean?
The following allegory may help to explain:
Let’s assume you have installed burglar-proof windows in your house. By chance, you now discover that the windows can be opened from the outside by a simple trick.
This is of course disturbing. However, at first it probably does not pose a great danger, since only you have become aware of the security problem so far. We call this a ‘0-day vulnerability’, a security vulnerability that has just been discovered and is still undisclosed.
As soon as the information about the problem is known publicly, one speaks of an ‘n-Day-vulnerability’. At this point, at the latest, there is an urgent need for action, as your house has now become the preferred target for burglars.
The same problem arises for application programs which, connected to networks, are exposed to potential attacks. If, for example, a previously unknown security vulnerability can be uncovered using modern analysis tools, this is known as a 0-day vulnerability. If, for example, software libraries are included in application programs which already have known security problems, these are n-day vulnerabilities which pose a threat to the program. SCA tools can identify integrated libraries in applications (even if these are only available as binary files) and point out the security vulnerabilities contained in the application by referencing n-day vulnerability databases.