Security Teams Failing to Address Open Source Vulnerabilities
The ongoing rise in open source vulnerabilities and software supply chain attacks is leaving organizations vulnerable to attack and causing greater challenges for security teams, according to Mend’s open source risk survey of nearly 1,000 North American companies.
The report found open source vulnerabilities are outstripping the growth of open source software. There was a 33% increase in open source vulnerabilities but just a 25% increase in available open source software.
“To put it simply, security teams are falling behind,” said Jeff Martin, vice president of product at Mend. “This is a problem because the number of vulnerabilities doesn’t equate to the same number of threats.”
He pointed out that threat actors are using more sophisticated techniques, which means the chance of a successful attack that harnesses multiple vulnerabilities increases exponentially as the number of available vulnerabilities grows.
The Usual Suspects
Martin said there are several reasons for organizations’ low remediation rates, but that every year the same culprits arise. These repeat offenders include a lack of time and resources and a lack of visibility into which vulnerabilities pose the biggest risk.
“Developer teams are tapped out and security teams are pulled in too many directions forcing them to make tough decisions about the vulnerabilities they will focus on,” he explained. “And some of the challenges reflected here come with open source territory.”
He added that there are a lot of third-party libraries in use and a lot of dependencies to weed through; doing so is a daunting and highly time-intensive job. That’s why more companies are turning to automated tools for help finding these vulnerabilities and prioritizing those considered high-priority.
Travis Smith, vice president of the threat research unit at Qualys, pointed out there often is not a path to automated remediation, which is a key driver in bringing down the mean-time-to-remediation and patch rate for vulnerabilities.
“Second, these types of vulnerabilities are often embedded within other software programs, which means these are more complex to discover than other vulnerabilities in programs like Windows or Chrome,” he said.
He explained that the dwell time is between when organizations can patch and when a vulnerability is weaponized.
“During this window, threat actors can take advantage of these vulnerabilities,” Smith said. “Those vulnerabilities exposed to the internet directly are most at risk, but so are others which are often taken advantage of for phishing.”
Martin explained that a lot of organizations prioritized critical severity vulnerabilities for remediation, but that’s only one piece of the puzzle.
“Effective prioritization requires not only severity details but also context around how specific flaws can be exploited, both solo and in conjunction with others,” he said. “We’ve seen real-world examples where low- and medium-severity vulnerabilities are used in sophisticated attacks that leverage more than one vulnerability.”
He cautioned organizations that focus only on the highest severity vulnerabilities that they are putting themselves at greater risk.
AppSec Best Practices
Mike Parkin, senior technical engineer at Vulcan Cyber, said the basic first step to address the issue includes ensuring development projects are done with application security best practices in mind from the start.
“Libraries and frameworks, open source or otherwise, need to be vetted and their sources verified and patches kept up-to-date across the board,” he says. “The issue isn’t unique to OSS projects or libraries but can affect any un-remediated vulnerability provided an exploit is available.”
The reality is that just because a vulnerability exists doesn’t mean threat actors have managed to weaponize or even exploit it, he pointed out.
Parkin added that there have been several recent incidents involving repositories and source hubs being used by threat actors to compromise the software development supply chain.
“Most of these attacks were easily mitigated and remediated, but it highlighted other potential issues,” he said. “Fortunately, there are already steps being taken to reduce the risk. It seems likely we’ll see more contamination by threat actors until security improvements drive them toward other more convenient attack vectors.”
Martin added that threat actors are continuously innovating and evolving their craft—seemingly at a faster pace than the good guys.
“Even as security teams get a handle on one type of attack or technique, a new one comes along,” he said. “Take malicious package attacks as an example. We saw a steady quarterly increase in the use of malicious packages. We expect to see this type of attack more frequently in the next year and expect it will grow in sophistication.”