By Vincent Smyth
Today’s software supply chain is broken on both ends. From an enterprise perspective, the way we license and deliver software is extremely dysfunctional, while on the consumer side it’s often difficult to achieve the safest, most reliable, and cost-effective deployment of that software.
Nowhere is this dysfunction more apparent than in software vulnerabilities. The problem created by vulnerabilities is broader than most enterprises realize. Vulnerabilities—or errors—in software can work as an entry point for hackers and be exploited to gain access to IT systems, making them a root cause of security issues.
Without a way to solve the problems created by software vulnerabilities, businesses rightly fear exposing customers to online criminals. Indeed, the reputational damage and loss of trust resulting from these break-ins cuts far deeper than the cost of repairing the damage. According to PwC’s 2016 Global Economic Crime Survey, executives considered reputational damage the most devastating impact of a cyber breach, followed closely by legal, investment, and enforcement costs.
The cost is massive for enterprises when a hacker is successful in gaining entry. An organization’s first line of defense to minimize cybercriminal threats should be to shrink the attack surface by decreasing the number of vulnerabilities on its devices. Taking this preventative measure considerably lowers the likelihood that a hacker can do any real harm.
Vulnerability Review 2017
According to Vulnerability Review 2017, the annual report from Secunia Research at Flexera Software, which presents global data on the prevalence of vulnerabilities and the availability of patches, 17,147 vulnerabilities were recorded in 2,136 products from 246 vendors in 2016 alone.
These findings illustrate the challenge faced daily by security and IT operations teams trying to protect enterprises against security breaches without the necessary automation. For organizations to stay on top of their environments, IT teams must have complete visibility of the applications that are in use, and firm policies and procedures in place, in order to deal with the vulnerabilities as they are disclosed.
The good news is that patches continue to be available for the vast majority of vulnerabilities at the time they become public. In 2016, 81 percent of all vulnerabilities and 92.5 percent of applications in the Top 50 Software Portfolio that were impacted by vulnerabilities had patches for those vulnerabilities on the day of disclosure—all but pleading for the user to take action to fix it. In contrast, a retrospective view of the last five years shows that in 2011, only 65 percent of vulnerability patches were recorded. The most likely explanation for the continuously improving time-to-patch rate is that researchers are continuing to coordinate vulnerability reports with vendors and vulnerability programs, resulting in immediate availability of patches for the majority of cases.
Other findings in the Vulnerability Review 2017 confirm trends from previous years, at 22, the number of zero-day vulnerabilities was a bit lower than in 2015; the split between vulnerabilities in Microsoft and non-Microsoft products in the 50 most popular applications on private PCs is at 22.5 percent and 77.5 percent. 30 days after the vulnerability was first disclosed, only one additional percent has a patch, indicating that if a patch is not available on the first day, the vendor does not prioritize patching the vulnerability.
Additionally, with regard to browser security, data shows that there were 713 vulnerabilities in the five most popular browsers—Google Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari—in 2016 compared to 983 in 2015, a year-on-year decrease of 27.5 percent. The majority of these vulnerabilities were rated as ‘Highly Critical’. With regard to PDF Readers—the top five being Adobe Reader, Foxit Reader, PDF-XChange Viewer, Sumatra PDF, and Nitro PDF Reader—the number of vulnerabilities has increased from 147 in 2015 to 289 in 2016.
Dysfunctional Software Supply Chain
However, even with an increase in available patches, there was a decrease in patch rates—a clear indicator that the software supply chain in indeed broken. This is yet another example of how the dysfunctional software supply chain continues to endanger enterprises. Organizations need to obtain proper alerts associated with the security of the applications they have installed.
Thankfully, there is an answer.
Software Vulnerability Management
Software Vulnerability Management helps enterprises combat these hackers head on, enabling companies to have access to accurate vulnerability alerts and patches as they are available, without relying on vendors’ alerts and notifications or proactively visiting all of their vendors’ sites to find patches. Software Vulnerability Management also helps organizations identify vulnerable applications and systems in their environments so they can be prioritized, and remediate the problem via integrated patch management.
The best thing about Software Vulnerability Management is that it is preventative. Most successful cyber attacks use known vulnerabilities to gain access or escalate privileges inside corporate IT infrastructures. Once hackers have successfully exploited a vulnerability, they have a base to roll out their attack, moving around systems, gathering information, and deploying malware—an umbrella term referring to a variety of hostile or intrusive software including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other malicious programs, to steal or terminate business-critical information or cause disruption.
The 2014 Heartbleed vulnerability is a case in point. Three years ago, the Heartbleed vulnerability in the OpenSSL cryptographic library sent the software industry and companies around the world into a panic. Software developers didn’t know enough about the open source components used in their own products to understand whether their software was vulnerable—and customers using that software didn’t know either.
We simply can’t ignore that as software gets smarter, so do the criminals. Technology is only going to continue to advance, but as we have seen, innovation almost always comes with inherent risks. Enterprises need to be good corporate citizens and take reasonable precautions against vulnerabilities now, to help ensure their software does not become easy prey for criminals. SW
Vincent Smyth is SVP, EMEA, Flexera Software, responsible for driving increased revenue, market shar,e and customer satisfaction in the enterprise, government, ISV, and intelligent device marketplaces.
June2017, Software Magazine