Want a 75 percent chance of breaking your app? Install a security patch
New research released from Endor Labs finds that security patches have a 75 percent chance of breaking an application.
It also shows that 69 percent of vulnerability advisories are published after a patch has been released, with a median delay of 25 days between public patch availability and advisory publication, increasing the window of opportunity for attackers to exploit vulnerable systems.
For a vulnerability in an open source library to be exploitable, there must be, at minimum, a call path from the application to the vulnerable function in that library. The report finds this to be true in fewer than 9.5 percent of all vulnerabilities in the seven languages explored -- Java, Python, Rust, Go, C#, .NET, Kotlin, and Scala. This means reducing the number of remediation activities needed can slash costs by over 90 percent.
Across the six development ecosystems explored, 47 percent of advisories in public vulnerability databases do not contain any code-level vulnerability information at all. 51 percent contain one or more references to fix commits; and only two percent contain information about affected functions. This is a serious drawback because the application of program analysis techniques needs code-level information about vulnerabilities, such as the names of affected functions or the fix commits that were developed by open source project maintainers to overcome a vulnerability. Without this kind of information, it's effectively impossible to establish whether known-vulnerable functions can be executed in the context of a downstream application.
Darren Meyer, staff research engineer at Endor Labs says, "A lot of organizations are struggling with managing dependency risks. They're drowning in vulnerability alerts, many of which don't represent relevant risk; researching the alerts is expensive for security teams (and software teams), and trying to fix everything is even more expensive. Endor Labs research shows that analysis-based vulnerability prioritization has become a critical capability because of this, and highlights other trends and challenges related to dependency management."
You can find out more and get the full report on the Endor blog. There will also be a webinar to discuss the findings on September 24 at 12pm ET.
Image credit: WrightStudio/depositphotos