A nine-month analysis of more than 100 million alerts, tens of thousands of code repositories, and 140,000 real-world applications finds 95% of organizations have at least one high, critical, or apocalyptic risk within their software supply chain.
Conducted by OX Security, a provider of an application security posture management (ASPM) platform, the data was collected and then normalized using the Open Software Supply Chain Attack Reference (OSC&R) framework the company developed in collaboration with experts from Google, Microsoft and GitLab. On average, each organization has nine such issues, with one in five applications exhibiting a run-time exposure, the analysis found.
The three most frequently observed vulnerabilities are command injection (15%), followed by sensitive data in log files (12%) and cross-site scripting (11%). Six of the top ten most observed vulnerabilities are tied to poor implementation of fundamental security practices such as authentication, encryption, exploitable information in logs, and over-provisioned privileges.
More than a third (36%) of applications were vulnerable to exploits in the initial access attack stage, while 20% were also vulnerable to either Persistence or Execution exploits. A total of 12% were found to contain vulnerabilities tied to tactics in all three stages.
The most common attack techniques discovered are backdoors into code (31%), followed by over-privileged user accounts (29%) and command injection (27%), according to the report.
The challenge is that on average application security teams are monitoring 129 applications, with more than 119,000 security alerts being generated annually.
Katie Teitler-Santullo, security strategist at OX Security, said the only way to cope with that number of alerts is to rely more on automation to correlate which alerts are all related to the same core issue. That level of contextual analysis reduces the volume of overall alerts by more than 97%, OX Security claims.
At the core of that capability is a proprietary OSC&R framework that provides a model through which risks can be easily identified by identifying potential attack paths. Armed with those insights it becomes simpler for DevSecOps teams to prioritize remediation efforts, noted Teitler-Santullo.
While much progress has been made in improving software supply chains, it’s clear there is still much work to be done. Developers today typically only spend a fraction of their time remediating vulnerabilities, so DevSecOps teams need to ensure those efforts are focused on the issues that represent the greatest potential risk to the organization.
The biggest challenge, however, is simply getting application developers to buy into the DevSecOps process. Most developers are going to actively resist any approach to remediating vulnerabilities that takes time away from building new applications. As such, it’s incumbent on a DevSecOps team to find ways to address application security issues in ways that don’t adversely impact developer productivity.
In the meantime, there is a growing body of regulations that will require organizations to revisit DevSecOps workflows by, for example, addressing known vulnerabilities in a timelier manner. The only way to effectively make that case will be to rely more on automation to ensure that the code running in a production environment is as secure as possible.