New vulnerabilities are no longer surprising or shocking. It seems like they come out every day. Shellshock is interesting to me because the underlying bug was introduced 22 years ago, but it only being exposed now. Imagine how many code reviews, how many regression tests, how many signoffs happened in those 22 years – and shellshock has been waiting all this time.
How many times have we heard, “this code hasn’t been touched in years”, or “this bug was found internally, but no customer has complained in several releases”. Shellshock, to me, is a reminder to always be vigilant, keep an open mind, and to keep focus on high quality – even for the old and stable components of our system.