To defeat cyberattackers you need to get to know them better

Know your enemy.

That ancient wisdom from the Chinese General Sun Tzu was about physical war, but it’s just as relevant today to the online world. If you want to protect your digital assets, you’d better know how your enemies — malicious hackers — are likely to attack them.

And that exhortation is the focus of the 2022 “Software Vulnerability Snapshot,” a recent report by the Synopsys Cybersecurity Research Center (CyRC), based on data from almost 4,400 tests conducted on 2,700 targeted web or mobile applications, source code files or systems. (Disclosure: I write for Synopsys.)

Most of the tests, done by Synopsys Application Security Testing (AST) services, were about knowing the enemy — designed to probe running applications in ways that a real-world attacker would, and then identify the most critical vulnerabilities to fix.

Those intrusive “black box” and “gray box” tests included dynamic application security testing (DAST), mobile application security testing (MAST) analyses, and penetration tests — simulated attacks designed to evaluate the security of an application or system. DAST and MAST are automated tools that find defects in running code, while penetration testing is done manually and enables organizations to find and fix runtime vulnerabilities in the final development stages of software or after deployment.

The tests found plenty of defects — 95% of applications had at least one vulnerability or misconfiguration, and 25% of the vulnerabilities found were high or critical risk. Which is good at one level — the point of software security testing is to find vulnerabilities and fix them before bad guys can find and exploit them.

As the report puts it, “organizations need to test their running web applications in the same way that attackers will, and then identify and eliminate vulnerabilities before they are exploited by outside agents.”

But it’s also a warning — the chances are close to 100% that the software you’re building and/or using has defects, and that a quarter of those defects are the kinds that can cause significant damage. If you don’t address them, you’re asking for trouble.

Worst of the worst

CyRC researchers found that 77% of the targets had vulnerabilities that appear on the Open Web Application Security Project (OWASP) Top 10 list — the worst of the worst.

Among the worst on that list — vulnerabilities that allow cross-site scripting (XSS) — can let attackers access application resources and data. According to the report, “Synopsys AST services found that 22% of the test targets had exposure to reflected, stored, or DOM (document object model)-based XSS vulnerabilities,” which can enable hackers to inject a malicious payload into a web page.

Other critical-risk vulnerabilities, such as remote code execution and SQL injection, allow attackers to execute code on a web application or application server and access sensitive data.

So what are the best ways to address those weaknesses? The report has several key takeaways that can help organizations know their enemies better and take effective measures to defeat them.

• Use all available testing tools. Different tools work in different ways to find weaknesses in software. Organizations should use them all. Besides DAST, MAST, and penetration testing mentioned earlier, static application security testing (SAST) can help flag defects in code as it’s being written, and software composition analysis (SCA) will help find open source components as well as where they came from, what version is being used, and whether they contain any known vulnerabilities or licensing conflicts.
• Be aware of third-party dangers. Software products today are more assembled than written — they include a combination of proprietary, third-party, and open source code. An average of about 77% of every codebase is open source software.

And that software, like any other software, is imperfect. According to the report, the Vulnerable Third-Party Libraries in Use vulnerability, ranked “critical” in the OWASP Top 10, was found in more than 20% of the pen tests, and in 25% of SAST.

As the report notes, your organization is vulnerable if you don’t know the versions of all components you use, and/or the code being used is unsupported or out-of-date.

• Create a software Bill of Materials (SBOM). A vehicle manufacturer wouldn’t stay in business long if it didn’t keep track of where its parts came from. Yet too many organizations have little to no idea what components are in the software products they’re using or what other components they rely on — which creates a supply chain that can run several levels deep and involve hundreds to thousands of so-called dependencies.

That makes the software supply chain a massive and attractive attack surface that needs much better protection than it has been getting. If anyone needs a reminder, last December’s discovery of a catastrophic vulnerability in the Apache open source logging library Log4j called Log4Shell was an example. One of the reasons it was so catastrophic is that too many users of Log4j didn’t know if they were using a version with the vulnerability. They weren’t keeping track of their supply chain.

That’s what makes an SBOM, an inventory of every software component an organization is using, so crucial. And it’s what makes an SCA tool so valuable, since it helps find those components, as well as what version they are and whether any of them have known vulnerabilities.

As the report puts it, “with many companies having hundreds of applications or software systems in use, each themselves likely having hundreds to thousands of different third-party and open source components, an accurate, up-to-date SBOM is urgently needed to effectively track those components.”

The good news is that there is now better awareness of that need than ever before. A recent Synopsys report, “Walking the Line: GitOps and Shift Left Security,” found that 73% of survey respondents had increased their efforts to secure their organizations’ software supply chain. And President Biden’s May 2021 “Executive Order on Improving the Nation’s Cybersecurity,” explicitly calls for organizations, both public and private, to create and maintain SBOMs.

• Don’t let low-risk defects become high-risk. Vulnerabilities labeled low-risk generally get that ranking either because they are unlikely to cause much damage or because it is unlikely that an attacker could exploit them. But the report notes that, depending on the profile of an organization, such a vulnerability could become high-impact/high-likelihood. One example is the Verbose Server Banners vulnerability that, while considered low-risk, “provides information such as server name, type, and version number that could allow attackers to perform targeted attacks on specific technology stacks.”

Software security advice always has to come with a disclaimer: Nothing will make you bulletproof. But knowing your enemy will bring you much closer to that goal. One of the traits of most attackers is that they are looking for easy targets. When they confront a difficult target, most tend to move on.

Following the recommendations in this report can help you join those more difficult targets.