Unexploitable Bugs Are Cybersecurity’s Biggest Headache

by Josh Biggs in Software, Tech on 17th October 2022

There is one issue facing every organization today: the sheer number of security vulnerabilities. The mounting pressure this places on trained professionals and newly-acquired analysts alike is formidable, with turnover rates and understaffing a symptom of the modern patching nightmare. Greatly contributing to the issue is the lack of contextual understanding within security alerts, forcing teams to waste valuable time on fixing flaws that may not even be exploitable in the first place. Intelligent patch prioritization now demands a next-gen Web Application Firewall (WAF), with many organizations facing a complete revamp of their security alert systems.

Security Vulnerabilities Are Out of Control

2021 saw the highest number of security vulnerabilities on record. This follows a particularly alarming trend: every year since 2015 has seen record breaking quantities of software vulnerabilities. However, 2021 did break the trend in one novel way: the number of high severity vulnerabilities actually fell slightly, from 4,381 in 2020 to 3,646. The bulk of 2021’s staggering mass of exploits is largely made up of medium and low-risk vulnerabilities.

The ever-increasing scale of vulnerabilities is, in part, thanks to the spiraling size of tech stacks. As the pace of technology creation increases, higher quantities of vulnerabilities are simply to be expected. Many security analysts were surprised at the reports’ findings: 2021 was a year that saw many organizations struggle with notoriously widespread difficulties such as log4j. However, one component to this higher ratio of low-severity issues could be that these vulnerabilities are easier to find, and therefore reported more often. High-severity issues suffer from the other side of this confirmation bias.

Though more vulnerabilities are an expected part of increasing tech stacks, there are fundamental changes in software development that pave the way for higher rates of software vulnerabilities. For instance, throughout the Covid-19 pandemic, many organizations rushed their applications through production. This is largely blamed upon the sudden rush to finish up digital transformation initiatives and switch to remote work. This code, having been through less QA cycles – alongside a greater reliance on 3rd party and legacy – is far more likely to reappear on the alerts dashboard of security analysts.

How Non-Exploitable Bugs Are A Security Nightmare

Though industry-wide surveys lend a fascinating insight into the mounting pressure on cybersecurity personnel, focusing purely on the number of potential vulnerabilities is a statistical dead-end. DevSec management around the globe have fallen into the same trap, and a growing number of analysts are now demanding change. Simply relying on a one-dimensional list of potential security flaws provides no answer to the question of whether these will affect your own organization’s daily operations. Cybersecurity is currently facing a crisis of magnitude: put simply, there are too many security alerts.

Some companies are facing systems that contain hundreds of thousands of vulnerabilities. On paper, this is a terrifying prospect. However, the reality could very well be that 85% of these are in fact not exploitable. Though a 15,000-strong backlog is still formidable, it shows the weakness of relying purely on one-dimensional security data. The average amount of time it takes to manually address a single vulnerability is roughly 20 minutes. The toll taken by non-exploitable bugs is in fact deeply concerning. The pressure of working from home, alongside the sheer mental difficulties of staying up all night only to fix false alerts, are major contributing factors to cybersecurity’s staffing difficulties. 

In the face of endless vulnerability flaws, the demand to patch unexploitable bugs is wasting time that security analysts simply don’t have. The issue, in essence, is one of visibility. Vulnerability lists – and the alerts generated from them – should take a company-first approach, with alerts holding a contextual understanding of each organization’s own tech stack. If a vulnerable function is not running, it should not be treated with the same urgency as a live, soon-to-be-exploited flaw. The other side to this coin is so-called ‘shadow software’: this is code that exists within a system, but is not detected by traditional vulnerability scanners, thanks to the way it’s packaged. 

Many organizations are suffering from a deeply un-optimized security alert system; they are paying the price in staff turnover and undiscovered exploits. 

Intelligent Vulnerability Prioritization 

Security tools need to keep pace with the scale and scope of modern vulnerabilities. This not only demands a suite of flexible virtual patch solutions, but also an intelligent method of addressing future flaws. 

A WAF is a traditional piece of the security toolbox, sitting between an application and its connection with the public-facing network. This monitors and filters the HTTP traffic flowing through the app, allowing the implementation and switching of company-wide security policies. The old problem facing many WAF solutions was that – in order to keep pace with exploits – the WAF policies would need to be constantly minutely fine-tuned. This demanded yet more working hours out of already-overworked teams. However, artificial intelligence now allows WAFs not only to adapt policies automatically, but also aid in detection and prevention of false positives in the alert stack. For instance, high-risk, replicable exploits can be automatically tuned out with dynamic policy profiling. At the same time, alerts that are manually handled, only to be addressing unexploitable bugs, can be fed into a machine learning algorithm that contextually analyzes these false flags. This creates an algorithm that statistically analyzes future alerts, automatic profiling and helping filter out unexploitable bugs. This, in turn, reduces the amount of human time spent on false alerts. 

WAF-based vulnerability validation represents only one layer of a modern, comprehensive Web Application and API Protection (WAAP) stack. Automation is proving to be a major component to solving the issue of overloaded alert queues. With replicable solutions that cover the tech stack from database to end user, modern organizations have no excuse in failing to invest the time and resources into their cybersec teams. 

Categories: Software Tech