This guest blog was contributed by Aviv Mussinger, CEO & co-founder of Kodem.
Lately, application security and development teams are having a hard time quickly and efficiently addressing real vulnerabilities in their software. In part, this is because the speed at which they can build applications has increased so much thanks to modern architectures, continuous delivery methods, and most importantly a wealth of open-source software available for use.
That open-source software can often come with vulnerabilities that need to be identified by AppSec teams and then sent over to be fixed by developers. Since developers are now expected to push out more software, and faster—that’s what all this modern architecture and the proliferation of off-the-shelf software packages promises, after all—they really can’t afford to be bogged down chasing vulnerabilities that aren’t actually relevant or distracted by security findings that have errors or duplicates.
In this new environment, development teams are finding the balance between speed and security by focusing on vulnerabilities that appear in runtime—those that happen while the software is executing. Those are the ones that pose the significant risk, and by tuning our focus accordingly, it turns out there’s a much smaller relevant attack surface on most applications than previously thought.
By viewing software vulnerabilities through this runtime lens, not only will the total number of vulnerabilities that need to be addressed shrink, but the limited time devs have in their cycles to address critical problems will be better spent, leading to high-quality products and a greater application understanding on the part of developers.
Here are five things that AppSec and dev teams can do to home in on the vulnerabilities that really need addressing in their software and keep app development from being delayed, without sacrificing security measures.
1. Carefully assess imported software packages
Know what software packages you're importing into your application, and what dependencies — direct and indirect—affect your environment in runtime. It’s not unusual for one out of every few open-source software packages to have some vulnerability inherent in it, but knowing which need to be addressed and which can be ignored, and the dependency structure of each package, is crucial to maintaining security posture.
2. Remove noise from SCA and CSPM alerts
AppSec teams’ reports on vulnerabilities can sometimes be rife with errors, duplicates, and false positives. Try to eliminate such noise from your SCA and CSPM alerts, so developers can focus on the real issues; if they get pulled away from their core focus, the software could suffer, and they need to have the bandwidth to deal with the vulnerabilities presenting real risk; since much of this is happening in the cloud, any unresolved issues could propagate easily.
3. Looking through a runtime lens, prioritize the right vulnerabilities
Prioritize vulnerabilities by looking at your software through a runtime lens: how the package is being used, whether it processes sensitive data, whether it’s internet-facing, and similar concerns. Doing so will expose the risk that really matters. Similarly, the most critical vulnerabilities should be addressed first, and the subset of vulnerabilities that are both critical and are exposed during runtime is significantly smaller than the broader set of all vulnerabilities. For some software packages, as low as 2% of runtime vulnerabilities are so severe they can be labeled critical; those are the first ones that need attention.
4. Lay out a roadmap and full context for dev teams
Context is king for remediation and AppSec teams should provide it to improve the developer experience. By offering complete, and accurate, context of the vulnerabilities addressed, developers can efficiently address what needs to be done in the right order. Labeling vulnerabilities found with their severity as well as if they occur in runtime will make it simple for developers to see what needs to be fixed, where, when, and how, and help them determine who on their team should handle it.
5. Streamline remediation processes and give images a look
Further streamlining the process of addressing software vulnerabilities is highly recommended. By aggregating vulnerabilities by source and ensuring that associated dependencies and base images are fixed, the development process should be able to close up gaps quickly. Images—self-contained, static representations of an application or software component, including its dependencies and configuration—are very common building blocks across different parts of an application, and so are especially important to have critical vulnerability-free. If they aren’t, that vulnerability could be replicated many times across the container environment. We’ve seen as many as two-thirds of images present runtime vulnerabilities, so particular attention on them is warranted.
By switching your mindset to focusing on vulnerabilities that appear in runtime, development cycles can continue rapidly without sacrificing security. Despite the changes we’ve seen in the software supply chain in recent years, the above tips should guide AppSec and development teams to more efficient and effective remediation when vulnerabilities are discovered.