3% of Open Source Software Bugs are Attackable

As vulnerability-management workloads skyrocket during heightened software supply chain security risk, a recent study has indicated that only 3% of the flaws are realistically reachable by the attackers.

This data provided implies that should application security pros and developers work in unison to focus on fixing and mitigating the truly attackable areas, the current heavy strain imposed on their teams would be dramatically reduced as a result.

Reduction in False-Positives

This new study, composed by ShiftLeft, suggests that appsec and development teams effectively sift through vulnerabilities by focusing on the attackable ones. Developers saw a 97% reduction in false-positive library upgrade tickets once considering attackability when examining packages in use with critically rated vulnerabilities.

If this tactic is valid, this would be a welcome relief to many as vulnerability management has been extremely hard as it stands, with the added complications of third-party flaws – especially in the scale of the impact these vulnerabilities have rippled across numerous pieces of software and creating a heavy workload manageable only through effective polarization.

Security and developers manage only a limited number of vulnerabilities in so many applications within a set time. They require surety that the ones they do fix or mitigate with compensating controls are the ones that truly count.

Attackability for Security Vulnerabilities

Deciding on what is attackable comes from looking beyond open-source dependency presence with known vulnerabilities and focusing on how they are being utilised.

Tools may be available that can easily locate and report on vulnerabilities, but they do not consider how the dependency is used in the applications – or whether the app even uses the dependency.

The thought process for analyzing the attackability involves an assessment of additional factors – such as whether the package containing the CVE is loaded by the application, in use by it, whether the package is an attacker-controlled path or if it is reachable via data flows. This requires taking a simple threat modelling approach to open source vulnerabilities to drastically shave down the fire drills.

Biggest Threat Focus

When new high-profile supply chain vulnerabilities hit the industry back channels and blow up in the media headlines, teams end up pulling long days and nights troubleshooting where the flaws are impacting the application portfolios, and even longer applying fixes and mitigations for risk exposures. To this point, the report specified that 96% of vulnerable dependencies were not attackable.

The biggest threats to software supply chains are malicious, purpose-led attacks on open source. This is an area deemed a much larger problem requiring more focus as many threats exist to software supply chains beyond incidental bug finds.

For more information on any cyber security conference and upcoming risk management events, check out the upcoming events from Whitehall Media.