Report: Your software is vulnerable. Fix it!
It’s not news that software isn’t perfect — it’s made by imperfect humans, after all.
But the number of imperfections in those millions of lines of code, what kind they are, where they are, and how much damage they could cause are details that aren’t as obvious.
So in an effort to provide more details and context on software vulnerabilities, security consultants with the Synopsys Cybersecurity Research Center (CyRC) analyzed anonymized data from more than 3,900 tests conducted in 2020 on about 2,600 commercial web and mobile applications.
Their findings, presented in a recent report titled “2021 Software Vulnerability Snapshot,” are both illuminating and ominous. Nearly all the targeted apps (97%) had vulnerabilities. Close to a third (30%) had high-risk vulnerabilities, and 6% had critical-risk vulnerabilities.
“It’s clear that there’s still a broad variety of software weaknesses out there, ranging from simple implementation and configuration bugs to more foundational system design flaws,” said Aravind Venkataraman, senior principal consultant with the Synopsys CyRC.
Indeed, apply statistics like that to products in the physical world like vehicles — imagine more than a third of cars on the road with malfunctioning seatbelts, airbags, brakes or headlights — and you get a sense of the scale and severity of the problem.
Attractive attack surface
Predictably, those vulnerabilities are an attractive attack surface for criminal hackers. Sometimes they can exploit software defects before the ethical world finds out about them. Or, more commonly, they exploit defects that are known and for which patches available, but their attacks succeed because thousands to millions of users aren’t keeping track of all the components of the software they’re using and therefore don’t know what they need to patch.
The 2017 breach of credit reporting giant Equifax is one of the most notorious examples of that problem. The company failed to patch a known vulnerability in Apache Struts, a popular open source web application framework, even though the patch had been available for months. The breach compromised crucial personal data of more than 143 million people.
So while software is part of the digital world, businesses and their customers rely on it in the real world. Experts have been saying for more than a decade that every company is a software company — it either builds software or it uses it to run the business.
As the report puts it, “software drives the administrative systems for most payroll, billing, receivables, sales tracking, and customer records. Software controls production, manages inventories, directs warehousing, and runs the distribution systems.” It is also “the primary way most businesses interact with and support customers.”
In other words, the quality and security of software has an existential impact on organizations. Software that isn’t secure is a business risk. And as the CyRC team found, there’s a lot of risk out there.
Almost all the tests analyzed by CyRC — so-called “opaque box” or “semi-opaque box” tests — are designed to mimic real-world attacks. The tests include penetration testing, dynamic application security testing, and mobile application security analysis. Opaque simulates an attack from an external hacker while semi-opaque is designed to show what an authenticated user with credentials could do.
The tests covered a range of industries including software and internet, financial services, business services, manufacturing, media and entertainment, and healthcare.
The most common high-risk vulnerability was cross-site scripting (XSS), found in 28% of the applications. That’s an attack where malicious scripts are injected into trusted websites.
The Open Web Application Security Project (OWASP), in a description of XSS, says the targeted user’s browser “has no way to know that the script should not be trusted and will execute the script.” And that allows the malicious script (and therefore the hacker) to access “cookies, session tokens, or other sensitive information retained by the browser and used with that site.”
OWASP is famous for maintaining a top 10 list of web application vulnerabilities — a list that was updated earlier this year. And among the more significant findings of the CyRC report is that vulnerabilities from that updated list were discovered in 76% of the targets.
Application and server misconfigurations, ranked fifth on the OWASP list, were 21% of the overall vulnerabilities found in the tests. And 19% of the total vulnerabilities found were related to the vulnerability ranked first on the list — broken access control.
Other report highlights include:
- Insecure data storage and communication vulnerabilities plague a large majority (80%) of mobile applications. These vulnerabilities could allow an attacker to gain access to a mobile device either physically (i.e., accessing a stolen device) or through malware. More than half (53%) of the mobile tests found vulnerabilities associated with insecure communications.
- Even lower-risk vulnerabilities can be exploited to facilitate attacks. Sixty-four percent of vulnerabilities discovered are considered minimal-, low-, or medium-risk, which means they aren’t directly exploitable by attackers to gain access to systems or sensitive data. Still, they can be exploited to enable attacks. For example, verbose server banners — found in 49% of the tests — provide information such as server name, type, and version number, which could allow attackers to perform targeted attacks on specific technology stacks.
In the face of this, the news is not all bleak. Many companies, increasingly aware of the risks, are working to improve their software security. That has become more difficult, however, because of the vast gap between the demand and availability of cybersecurity talent.
According to Cybersecurity Ventures, the number of vacant cybersecurity positions in the world currently is more than 3.5 million — nearly a million more than the population of Chicago. The number of vacant cybersecurity positions in the U.S. is, according to one estimate, nearly 600,000.
To their credit, when businesses don’t have the internal resources to ramp up their application security testing, they are increasingly turning to third-party providers. But no matter who is doing the security testing, it has to be targeted and effective, and can’t slow software developers down.
A full spectrum of tools
The report offers several recommendations.
First, a single security tool is not enough. The search for vulnerabilities in software “calls for multiple assessment techniques, such as [semi-opaque] testing, static analysis, composition analysis, design reviews, etc. to be applied against your software inventory on a continuous basis,” Venkataraman said.
Static application security testing can help find defects in code as it’s being written, but not while it’s running. That takes dynamic and interactive security testing. It should also be mandatory to use software composition analysis, a testing tool that can help find known vulnerabilities and potential licensing conflicts.
But multiple tools can be a problem rather than a solution if they aren’t properly configured. Organizations that are building software need to provide an automated system of tools to their developers that won’t slow them down with so many findings — many of them trivial — that they become the equivalent of white noise and developers tune them out.
The newest automated tool on the block to help with that, although it has been around for several years, is application security orchestration and correlation (ASOC). Not only can it be configured to do the right test at the right time (the orchestration part), ASOC also eliminates duplicates, aggregates findings by severity according to the priorities set by the organization and tracks whether they’ve been fixed.
Second, while automated testing tools are essential given the speed of software development, in some cases a human has to be directly involved.
“From the report, we clearly see that even though application security professionals have been focusing on cross-site scripting for several years, it was discovered as a high-risk vulnerability in more than 28% of tests,” said Debrup Ghosh, product management manager with Synopsys. “Which proves that even though many development teams had probably conducted automated application security testing, it is critical to have human intelligence complement automated testing, to get a holistic view of the risk.”
That combination of manual and automated testing add up to the report’s exhortation to use “a full spectrum of security tools.”
Finally, you’re asking for trouble if you don’t create and maintain an accurate, up-to-date software Bill of Materials, as in, keep track of everything you’re using. Experts have been saying for decades that you can’t protect what you don’t know you have. And what you have is likely much more complicated than it looks on the surface.
Virtually all applications today are built from a combination of proprietary, commercial, and open source software components. Those components can depend on other components or libraries that can go multiple levels deep and add up to hundreds or even thousands of dependencies.
If one or more of those dependencies that you don’t know about has a vulnerability, you’re unlikely to apply a patch for it even if it’s available. That can set you up to become the next version of Equifax.
The CyRC team found vulnerable third-party libraries in 18% of the penetration tests conducted. Which means the chances are one in five that your organization is relying on one of them.
So be proactive. Assume that your software is vulnerable because it is. Test it, track it, and fix it. Then you can trust it.