Vulnerabilities sprawl out: What your app sec team needs to know

Last year, four groups of researchers began exploring whether modern processors do enough to prevent computer users from accessing data that should be protected and isolated. The vulnerabilities identified by the researchers—now known as Meltdown and Spectre—allow an attacker to gather sensitive data, such as usernames and passwords, from the operating system and otherwise protected applications.

Finding such fundamental flaws in the designs of well-known processors is a rare event. However, the trend of looking for software flaws in the more obscure parts of operating system and software components is becoming more common.

Vulnerability researchers are looking deeper into the software stack than ever before—a trend that will, by necessity, force defenders to do the same, said Alexander Hoole, manager of software security research for software services firm Micro Focus.

"Your attack surface area is not necessarily bigger, but the volume of vulnerabilities behind your attack surface area is much larger than you think. Not only do you have to worry about the code you write, but the components that your code relies on that someone else wrote."
—Alexander Hoole

The lesson: As a developer or application security specialist you need to look deeper and wider than in the past. Here's how.

Application Security Research Update: The State of App Sec in 2018

Beneath the attack surface

The number of flaws found in 2017 skyrocketed 127% to more than 14,600, up from 6,447 vulnerabilities in 2016, Micro Focus reported recently in its Application Security Research Update 2018 report. Worse for defenders, however, the number of products affected increased by 94%. While legacy products account for a great deal of the increase, many products are gaining scrutiny for the first time.

[ Related: Application Security Research Update: 5 lessons for software teams ]

Hackers and vulnerability researchers are often among the early adopters of many technologies. And as they look into the issues, they are revealing a lot more vulnerabilities than people knew about in prior years. When name-brand Internet-of-Things (IoT) companies sell 100,000 thermostats, for example, some buyers are likely looking at the software, said Derek Weeks, vice president and DevOps advocate for Sonatype.

"You look at these components going into any sort of products, web-based applications, IoT-based applications, or chip-based applications, and it's clear that there are now more vulnerabilities being baked into these applications."
Derek Weeks

Understand these three major factors

The increasing exposure of devices and software components that had been relatively obscure is one of three factors that are leading to more vulnerabilities being found in a wider variety of software.

A second issue is that new, or obscure, software has likely not been vetted for security problem as well as mainstream, popular software and open-source components, said Josh Corman, chief security officer for PTC, a technology maker focused on manufacturing. Third, more software is exposed because everything is now being connected to the Internet.

"All software has flaws, and software is connectable. If you connect it, you run the risk of being exploited."
Josh Corman

These three factors are leading to vulnerabilities being found in a wider variety of software, increasing the breadth of the vulnerability landscape.

The search for weak links goes deeper

Attackers are looking deeper into software as well. In their search for vulnerabilities in significant and widespread software, attackers are increasingly looking at the building blocks used by developers to create applications. Open-source components, libraries, and frameworks may be more secure than closed-source software, but finding a vulnerability in a widely used library can have far-reaching consequences, Corman said.

"It is not that open source is less secure than closed source. It is that an attack on bespoke custom code gets you only one target, but an attack on open source gets you many, many targets."
—Josh Corman

Developers use open-source frameworks as an essential part of writing software. Sonatype estimates that some 80% to 90% of the average application comes from open-source components and not custom code.

Many developers, however, are not prepared to deal with the security consequences of using vulnerable code. In a yet-to-be-published survey of about 2,000 people on development teams, Sonatype found that 35% did not receive any application-security training from their companies.

"If you are a development [team] and one-third of you have received no [security] training, that's a huge problem. There is no doubt that you are producing code that has vulnerabilities in it."
—Derek Weeks

The great unknowns

In the past, application security didn't receive much attention. That is changing. However, companies are still not searching for vulnerabilities at the breadth and depth that they need, said Micro Focus' Hoole.

These "unknown unknowns" are accounting for a greater proportion of issues, he said.

"We have to start looking not only at the code you write, but the code you are dependent upon, looking at the system stack in its entirety, looking at the devices you attach to your solution, and even looking at your chips."
—Alexander Hoole

The pressure to do so is also increasing, said Weeks. The software driving the IoT, for example, is now getting national attention. At the end of last summer, Congress proposed the Internet of Things Cybersecurity Improvement Act of 2017, which would require companies to secure the software of IoT devices sold to the US government.

While the legislation is not yet law, the mere fact that software vulnerabilities have become a national issue should be a warning to developers, Weeks said. "Anything that gets introduced on a congressional level or is proposed legislation certainly is gaining national attention and is no longer a niche idea," he said.

Topics: Security