The security and software industries learned some hard lessons in 2021.
Software providers dealt with the most reported vulnerabilities in three decades, with more than 20,100 issues documented in the National Vulnerability Database managed by the National Institute of Standards and Technology (NIST). This compared to about 18,350 reported in 2020.
In addition, some major issues—such as the vulnerabilities found in the Java logging component log4j—caused widespread chaos. Open-source projects and commercial products alike struggled to determine the risk posed by the component that is so commonly included in a variety of applications and other libraries.
For companies, managing such a massive number of issues has become a significant exercise in triage, but one that is manageable if the business learns the lessons of 2021, said Inga Goddijn, executive vice president at Risk Based Security, a vulnerability management firm.
"Given the flood of vulnerabilities that continue to be reported, there is no way around the need to get ahead of scanning and alerts," she said. Your shop really needs to "associate newly reported vulnerabilities to assets in your environment and patch the most critical assets for the vulnerabilities most likely to impact them. There is just no two ways around it anymore."
Better reporting does not mean more flaws
The increase in the absolute number of annually reported security issues is less a measure of increasing vulnerabilities than it is a measure of increased reporting, experts agree. And the rise will likely continue with the Biden administration's recent efforts to focus on securing critical open-source components and tracking issues through the software supply chain.
The expansion in the number of reported vulnerabilities means that companies that do not adapt how they handle vulnerabilities will be left behind, said Michael Angelo, chief security architect at CyberRes, a Micro Focus company focused on cyber resilience.
"There really is not a massive influx of vulnerabilities. We have already had these issues, but what has changed is that we have become more aware of them," he said. As for the Biden administration's requirement of a software bill of materials (SBOM), "that executive order shines a light on the third-party components," he said.
Here are three lessons from the struggles in 2021 to keep up with greater reporting of vulnerabilities.
1. Know your assets, and know their controls
Tracking, triaging, and mitigating 20,000 vulnerabilities is an impossible task for nearly any company. While only about one-fifth to one-third of those vulnerabilities are observed in enterprise environments—about 4,000 vulnerabilities in 2021—companies typically remediate only about 15%, according to data from Kenna Security, a part of Cisco, and the Cyentia Institute.
Limiting risk to the company by having appropriate controls is key to reducing the workload. In its own analysis, Risk Based Security noted that, of the 20,000 vulnerabilities, only about 4,100 had the magic trio of characteristics: being remotely exploitable, having a public exploit, and being solvable through a workaround or patch.
The last attribute determines whether a company can mitigate the issue or has to rely on compensating controls to limit risk to specific assets, said Risk Based Security's Goddijn. Compensating controls are alternatives that organizations can use resolve a security issue without necessarily having to take every single step needed.
"You can have a critical vulnerability, but if you have a lot of compensating controls, it may not increase your risk," she said. So you have to understand how critical the asset is to your organization and "understand how a vulnerability could potentially affect your environment."
2. Focus on vulnerabilities that have exploits
While the Common Vulnerability Scoring System (CVSS) gives some good data on the potential criticality of a software vulnerability, in practice, the resulting scores have had little correlation to the actual exploitation of vulnerabilities. Research by Kenna Security and Cyentia Institute has established that the best way to prioritize patching is to fix the vulnerabilities that eventually get exploited.
When researchers release exploit code to ostensibly prove exploitability and speed up the vendor's response to the vulnerability, they are helping not defenders, but attackers, said Jay Jacobs, co-founder and chief data scientist at Cyentia.
"When the good guys publish these exploits to help out, we find that generally it does not," he said. "It is causing more harm than any sort of benefit we are seeing from convincing vendors to produce patches. It is an old debate, but we are bringing data to it now."
In February, Cyentia and Kenna worked with the Forum of Incident Response and Security Teams (FIRST) to update the Exploit Prediction Scoring System (EPSS), which the companies claim is a much more efficient model of predicting exploits than either the first version of the system or of the latest version of CVSS.
The EPSS model produces a probability score of between 0% and 100%. The higher the score, the greater the probability that a vulnerability will be exploited. EPSS scores are produced "for all CVEs in a published state," the group said.
3. Capacity is less important than prioritization
Compared to fixing every vulnerability, fixing only those issues that are most likely to be exploited in the future dramatically reduces the workload for IT teams. Then it boils down to capacity, or the ability that companies have to fix vulnerabilities. Capacity relies a lot on vendors and automation, said Ed Bellis, chief technology officer and co-founder at Kenna Security.
"The auto-update feature is automation and is probably the most effective way that we have seen to increase capacity and fix vulnerabilities at velocity," he said. "Microsoft has gotten pretty good at that, and not a lot of other vendors are doing as well."
Increasing capacity relies on efficient automation on the patch management side when vendors do not provide their own solution. Yet companies should make sure to focus on prioritization first to reduce risk.
Kenna Security found that even low-capacity patch-management programs reduced the risk of exploitation far more than high-capacity firms pursuing the wrong prioritization strategies.
Take one bite at a time
The steady increase in vulnerabilities is unlikely to subside anytime soon. More companies are taking part in the disclosure process as a CVE numbering authority (CNA). And federal regulations that require agencies and contractors to know the sources of software in their applications and to remediate vulnerabilities will only increase the pressure on companies.
"We have always had these vulnerabilities in our software products, but what has happened is that everyone has become more aware of them," said CyberRes's Angelo. The Biden executive order shines a light on third-party components, "and companies are looking at their vendors and asking, 'When are you going to fix this vulnerability?' " he added.
The demands will put pressure on the entire software supply chain, from open-source projects to software firms to the enterprise customers. Everyone needs to learn from the struggles of 2021.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
