Dependency kicking in: Why cybersecurity needs a better OSS risk management model

Modern software design analysis requires accessibility analysis

The Endor Labs report emphasizes the role of modern software architecture analysis (SCA) when it comes to dependency management. Although SCA tools are far from new, they have traditionally focused on system risk severity scores (CVSS), which makes sense, given that many organizations are also prioritizing risk for remediation, especially High and Critical CVSS scores.

The problem, as we know from sources like the Exploit Prediction Scoring System (EPSS), is that less than 5% of CVEs are ever exploited in the wild. Therefore, organizations that prioritize based on CVSS severity scores are actually only using scarce resources to fix vulnerabilities that cannot be exploited, and therefore pose little real risk.

While scanning tools, including SCA, have increasingly begun to include additional vulnerability intelligence such as CISA KEV and EPSS, others have not and many have not yet added this alongside deep functionality level access, to not only show what components are known to be. exploited, potentially exploited, or actually accessible.

“For an open library vulnerability to be exploitable, there must at least be a call path from the script to the vulnerable function in that library,” Endor said in the report. “By examining a sample of our customers’ data where accessibility analysis was performed, we found this to be true for less than 9.5% of all vulnerabilities in the seven languages ​​we support this level of analysis at the time of publication (Java, Python, Rust, Go, C#, .NET, Kotlin, and Scala ).”


Source link