Fast Vs Right
I think the fundamental problem here is that if a zero-day is discovered, there's an urgency to get a fix out as soon as humanly possible and stop it being exploited. This is entirely understandable, but as illustrated in the article, it can and often does lead to incomplete fixes and ultimately a dev team playing whack-a-mole for a while as new exploits emerge that work around the partial fix.
Of course the time should be take into do things right, properly understand the root cause of the problem and comprehensively patch it, but that takes time. In the meantime the bug is being exploited. An incomplete patch is still better than no patch at all.
And then we have the problem of management not understanding that a quick patch isn't guaranteed to be a comprehensive fix and considering the matter solved as soon as there's a patch out, and therefore unprepared to allocate further resources to a problem that they think is already solved.
Dealing with zero-days really ought to be a 2-step process:
* Get a patch for the issue out as fast as possible
* Use the time bought by the patch to do a more thorough code analysis and get a more comprehensive fix out before anybody can find workarounds for the patch
We've got step 1 down, but step 2 doesn't happen nearly as often as it should.
Biting the hand that feeds IT
