In a world increasingly dependent on technology, software sprawl is growing. Companies use custom-built software, open source software, and products from third-party providers when building applications. Through this software supply chain, the digital attack surface expands. Each software dependency can also open it up to potential attack as bugs are found in all types of software that malicious actors can exploit. Certain attacks in the headlines in the last year, including those that impacted SolarWinds and Kaseya, highlight the fragility of the software supply chain and the far-reaching implications if the supply chain is exploited.
Now the federal government is paying attention to software threats. It is now a requirement for companies that want to contract with government agencies to maintain a software bill of materials (SBOM) in order to have a clear and complete inventory of the software an organization has throughout its environment.
In tandem with understanding one's software environment is also the need to find vulnerabilities within that environment. Vulnerability management tools look for specific vulnerabilities and are segmented to specific areas within the various environments where software resides. Some scan for CVEs in the infrastructure, some on containers, and some in OSS libraries.
But there are severe limitations to both of these tools. While SBOM tools have been developed, unfortunately, most require a lot of manual work and are limited to specific parts of the software stack and environment. And while vulnerability scanners may locate bugs, they do not give security teams context that is specific to their own individual environments about how much risk each flaw might pose.
The result is most organizations are still flying blind when it comes to remediating vulnerabilities. Static SBOMs only reveal a point in time view of the software environment. And vulnerability scanners only offer limited information about flaws, with no real "action plan" on how to prioritize and remediate them other than CVE scores, which are of little value in many cases. Tech debt grows, and the attack surface is still massive.
In this software-driven world, we lack the tooling to release secure software — or secure released software — fast enough.
We Need a New Approach to Vulnerability Management
With software outpacing the ability of traditional vulnerability management to scan everything, a new approach is needed. The answer? Tools and strategy that allow security and development professionals to see all software across the stack and understand risk holistically.
- Understanding what you have is not enough. More software and more vulnerabilities are creating huge backlogs for IT. That's why we not only need tools to detect the vulnerabilities associated with the software, but also tools to prioritize these vulnerabilities and understand what matters. Rezilion's research shows that only a small percentage of discovered vulnerabilities are loaded into memory and therefore, exploitable, reducing patching backlogs by up to 85%.
- Context is key. You must be able to figure out which software and applications will be most affected by vulnerabilities and whether the vulnerability poses a high risk. You also need to know what the attacker will achieve by exploiting the vulnerability and gaining access to your network, and what the impact will be.
- Knowing what vulnerabilities matter doesn't mean you know how to fix them effectively. Furthermore, remediation has also become more complex with many stakeholders and even more vulnerabilities.
To solve this, security and dev teams need intelligence on how to handle every vulnerability, what packages to upgrade, and to make sure this information is passed to the right stakeholders to make it easy for them to apply patches. This is the future of vulnerability management.
Detect. Prioritize. Remediate: The New Road Map for Software Attack Surface Management
The path forward in vulnerability management includes three key stops: Detect. Prioritize. Remediate. If these components sound familiar to you, it's because they're part of a framework called "Attack-Surface Management" that has been successfully applied to assets and networks. This is the strategy needed to expand software security beyond its traditional boundaries of simply scanning for vulnerabilities.
You can arrive at the stops with three capabilities:
Detect: A dynamic SBOM to see in real-time into the software environment and identify flaws.
Prioritize: A vulnerability prioritization tool to understand which bugs pose an actual risk.
Remediate: An automated vulnerability remediation that fixes the critical vulnerabilities.
Does Your Vulnerability Management Strategy Include the Three Key Elements?
Ask yourself whether your organization is protected with the traditional approach to vulnerability management using manual tools to find vulnerable software components. Most organizations today are fighting battle that fails to reduce the rapidly growing software attack surface. The best way forward is one that not only identifies bugs but also prioritizes and fixes them quickly and efficiently. That's why new tools and approaches are required in order to truly manage vulnerabilities in today's constantly growing attack surface.
About the Author
Liran Tancman, CEO and co-founder of Rezilion, is one of the founders of the Israeli cyber command and spent a decade in Israel's intelligence corps. In 2013, Liran co-founded CyActive, a company that built a technology capable of predicting how cyber threats could evolve and offer future-proof security. Liran served as CyActive's CEO and led it from its inception to its acquisition by PayPal in 2015. Following the acquisition, Liran headed PayPal's global Security Products Center responsible for developing cutting-edge technologies to secure PayPal's customers.