A report published today by application security testing tool provider GrammaTech in collaboration with Osterman Research suggests just about every software supply chain is rife with vulnerabilities.
An analysis of commercial off-the-shelf (COTS) applications found that 100% of them have security vulnerabilities, with 85% of those applications having at least one critical vulnerability. The COTS applications that were analyzed included open source components to varying degrees.
On average, nearly a third (30%) of all open source components contained at least one vulnerability or security flaw that has been assigned a common vulnerabilities and exposures (CVE) identifier. All but three of the applications in the study included at least one critical vulnerability designated a 10; the highest possible score using the common vulnerability scoring system (CVSS).
Vince Arneja, chief product officer for GrammaTech, said there is no commercial application that doesn’t incorporate some open source code. That challenge is that most of the teams that maintain open source code lack the skills and tools required to continuously scan each project’s contribution for vulnerabilities. As a result, it’s incumbent on the developers reusing open source code to scan that code for vulnerabilities rather than simply assuming it’s secure, added Arneja.
At the same time, cybersecurity teams should also review every application deployed in a production environment, added Arneja. Trust that commercial application vendors have addressed vulnerabilities is often misplaced, noted Arneja.
The report found that applications for online meetings and email clients have the highest average weighting of vulnerabilities, with 85% of the most popular browser, email, file sharing, online meeting and messaging products tested having at least one critical vulnerability with a 10.0 CVSS.
Among the components identified across the applications analyzed, two versions of the Firefox open source component (not the browser itself) contributed 75.8% of all CVEs. In second place, 16 versions of OpenSSL had a combined 9.6% of the CVEs and two versions of libav represented 8.3% of the CVEs.
The GrammaTech report also suggested there is no correlation between older and newer versions of software and vulnerabilities. The latest versions of software are not always more secure than their previous release(s).
In the wake of a series of high-profile breaches, there has been more focus on software supply chains. Cybersecurity teams may not, however, be aware of just how many vulnerabilities there are in their IT environments. Most developers are not especially well-versed in security best practices. As a result, the number of vulnerabilities that might exist in both commercial and custom applications could take years to remediate.
More troubling still, the rate at which new applications are being deployed and updated doesn’t appear to be slowing. Despite a number of highly publicized software supply chain breaches, Arneja noted that most businesses are too dependent on software to engage customers to slow down the development and deployment rate of applications. It will also take years for organizations to properly train developers to correctly employ security tools within their application development processes, otherwise known as DevSecOps best practices, to reduce the number of vulnerabilities that now routinely manifest themselves in production environments.
In the meantime, no one knows more about these vulnerabilities than the cybercriminals that exploit them. Organizations may not be able to remediate every vulnerability overnight, but at the very least, remediating the most critical vulnerabilities found in 85% percent of applications clearly needs to be a much higher priority than it is today.