Developers need to think like hackers to prioritize fixes
As technology continues to evolve, software development teams are bombarded with security alerts at an increasing rate, making it almost impossible to address every potential vulnerability.
New research from WhiteSource, an open source security and license compliance management specialist, and CYR3CON, which predicts cybersecurity attacks based on AI-gathered intelligence looks at how development teams prioritize fixing vulnerabilities and compares this to discussions in hacker communities.
"As development teams face an ever-rising number of disclosed vulnerabilities, it becomes impossible to fix everything and it's imperative that teams focus on addressing the most urgent issues first," says Rami Sass, CEO and co-founder of WhiteSource. "Our research can help organizations adopt a solid prioritization method, and ensure they look beyond just the most accessible data to the data that can best help them fix the security vulnerabilities that could cause the greatest impact, and in turn save them valuable time."
The study finds that software development teams tend to prioritize based on available data such as vulnerability severity score (CVSS), ease of remediation, and publication date, but hackers don't target vulnerabilities based on these parameters.
Instead hackers are drawn to specific vulnerability types (Common Weakness Enumerations, CWEs), including CWE-20 (Input Validation), CWE-125 (Out-of-bound Read), CWE-79 (XSS), and CWE-200 (Information Leak/Disclosure).
Also while enterprises tend to prioritize 'fresh' vulnerabilities, hackers are often discussing vulnerabilities for over six months following exploitation, with even older vulnerabilities re-emerging in hacker community discussions as they reappear in new exploits or malware.
"All too often companies unknowingly accept risk by using out-dated methods of vulnerability prioritization - and this report sheds light on the shortcomings of those approaches. Combining threat intelligence and machine learning overcomes those shortcomings, highlighting previously unidentified risks in the process," says Paulo Shakarian, CEO and co-founder of CYR3CON. "Our CyRating score, which originates from our own peer-reviewed scientific research, was designed to scale the process of analyzing vulnerabilities and rapidly shed light on the hackers' perspective of what they will exploit. Many top-tier teams today use CYR3CON to provide the knowledge they need to conduct this analysis in a manner that scales."
You can read more on the WhiteSource site.