Rising Vulnerability Counts Highlight AppSec Woes

by Josh Biggs in Tech on 3rd April 2022

2021 wasn’t a good year for cyber security in many ways. Several thousand ways, to be precise. The twelve-month period set a new record for software vulnerabilities, with a massive 28,695 being disclosed during the course of the year. This was up considerably from the not-exactly-tiny 23,269 vulnerabilities disclosed the year before.

These vulnerabilities, which exposed software to potential attacks being executed by bad actors, could be used for everything from remote code execution to data exfiltration. For those relying on the flawed code – including not just individual users but also large organizations – the effects could be potentially devastating. It’s a timely reminder of why the right application security measures are not just a “nice to have,” but a “must have” in the current cyber security environment.

The difference between a vulnerability and a bug

As humans, we’re told that showing vulnerability is a good thing. For a piece of software, it most certainly isn’t. A vulnerability, for those unfamiliar with the term, refers to a software bug that can be harnessed by bad actors, such as cyber attackers, to cause harm. 

A regular software bug may be a nuisance, such as an interface element that behaves unpredictably or even causes an application to crash when a certain sequence of events is followed. However, a vulnerability goes further by turning a fault into something that can be utilized to inflict damage. Picture it like the difference between a bathroom door not closing properly in your house (an irritation) and your front door not closing (a potentially massive vulnerability). 

Vulnerability management is a complex operation. As mentioned, thousands of new vulnerabilities are discovered every year. Virtually every piece of software released has certain bugs and, while not all of these ascend to the level of vulnerabilities, a percentage of them do. That means that the supply of software for vulnerabilities to be discovered is constantly refreshed – with cyber attackers ever-more incentivized to find these weaknesses due to the damage that they can cause.

How vulnerabilities spread

In many cases, vulnerabilities enter software through the use of third party code. In the same way that we might rely on ready made components (a door, a window frame, etc.) if building a house, so too do software developers use chunks of publicly available code to speed up the development process. This third party code is frequently of an extremely high quality. Unfortunately, it can also contain vulnerabilities which may then be baked into whatever software uses it. This is what is known as supply chain vulnerabilities.  

Typically, developers – especially large, conscientious ones – will be efficient when it comes to patching vulnerabilities and releasing these patches to the public. Thanks to the world of over-the-air updates, fixes for such vulnerabilities can be rapidly deployed to customers. However, that’s not necessarily the end of the problem. For these fixes to be effective, organizations must download and install the patches in question. In scenarios in which they are dealing with multiple patches for multiple pieces of software, prioritizing this can prove to be a challenge. It requires that organizations keep up to date with the state of current vulnerabilities, know which ones are particularly damaging, and are able to take that piece of software offline long enough to put the correction into action. For already overworked IT teams, this is almost a full-time job in its own right.

Virtual patching

To help with this task, virtual patching can be a major game-changer. Virtual patching through the use of tools like WAF (Web Application Firewalls), WAAP (Web Application and API Protection), and RASP (Runtime application self-protection) can offer protection through a set of rules designed to stop malicious behavior resulting from actions by potential attackers prior to it becoming a problem. Unlike regular software patching, virtual patching doesn’t actually correct the code within specific applications. What it does is to erect an additional set of rules that can act as a safeguard. 

Cybersecurity teams must still install patches and do their best to incorporate other best practices. Nonetheless, innovation in the virtual patching space serves as an incredibly valuable addition to the arsenal of tools available to help protect against attacks.

Still a problem

Software vulnerabilities are going to continue to be a problem. Despite the presence of innovations such as code-checking AI solutions, it’s unrealistic to think that all code can be made bug-free any time soon. Where there are bugs, there will also be hackers looking for ways to exploit those bugs by turning them into vulnerabilities. 

The best you can do is to utilize the weapons available to you to fight back against risk in this area. Doing so is among the smartest investments you can possibly make. Virtual patching is a great place to start.

Categories: Tech