Today’s broken software supply chain… and how to fix it

A leaky tap, squeaky door, chipped paint. After a bit of angst, when something is broken, our immediate reaction is usually to fix it. Especially, when a fix is at the ready. However, that does not seem to be the case with the software supply chain. 

Take, for instance, vulnerabilities.  The problem created by vulnerabilities is more broad-based than most enterprises realise.  Vulnerabilities are a root cause of security issues - errors in software that can work as an entry point for hackers, and be exploited to gain access to IT systems.

Businesses rightly fear exposing customers to Internet criminals without a way to fix the problem.  Indeed, the reputational damage and loss of trust resulting from these break-ins cuts far deeper than the cost of repairing the damage.  According to PwC’s 2016 Global Economic Crime Survey, executives considered reputational damage the most devastating impact of cyber breach, followed closely by legal, investment and enforcement costs.

The cost is massive for enterprises when a hacker is successful in gaining entry.  An organisation’s first line of defence to minimise cybercriminal threats should be to shrink the attack surface by decreasing the number of vulnerabilities on its devices.  Taking this preventative measure will considerably lower the likelihood that a hacker can do any real harm.

Vulnerability review 2017

According to Vulnerability Review 2017 – the annual report from Secunia Research at Flexera Software which presents global data on the prevalence of vulnerabilities and the availability of patches – maps the security vulnerability threat to IT infrastructures, and explores vulnerabilities in the 50 most popular applications on private PCs – 17,147 vulnerabilities were recorded in 2,136 products from 246 vendors in 2016 alone.

These findings illustrate the challenge faced daily by security and IT operations teams trying to protect their enterprises against security breaches without the necessary automation.  For organisations to stay on top of their environments, IT teams must have complete visibility of the applications that are in use, and firm policies and procedures in place, in order to deal with the vulnerabilities as they are disclosed.

The good news is that patches continue to be available for the vast majority of vulnerabilities at the time they become public.  In 2016, 81 per cent of all vulnerabilities and 92.5 per cent of applications in the Top 50 Software Portfolio that were impacted by vulnerabilities, had patches for those vulnerabilities on the day of disclosure – all but pleading for the user to take action to fix it. In contrast, a retrospective view of the last five years shows that in 2011, only 65 per cent of vulnerability patches were recorded. The most likely explanation for the continuously improving time-to-patch rate is that researchers are continuing to coordinate their vulnerability reports with vendors and vulnerability programmes, resulting in immediate availability of patches for the majority of cases.

Other findings in the Vulnerability Review 2017 confirm trends from previous years: at 22, the number of zero-day vulnerabilities was a bit lower than in 2015; the split between vulnerabilities in Microsoft and non-Microsoft products in the 50 most popular applications on private PCs is at 22.5 per cent and 77.5 per cent.  Thirty days after the vulnerability was first disclosed, only one additional per cent has a patch, indicating that if a patch is not available on the first day, the vendor does not prioritise patching the vulnerability.

Additionally, with regard to browser security, data shows that there were 713 vulnerabilities in the five most popular browsers (Google Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari) in 2016 compared to 983 in 2015 – a year-on-year decrease of 27.5 per cent. The majority of these vulnerabilities were rated as ‘Highly Critical’. With regard to PDF Readers – the top five being Adobe Reader, Foxit Reader, PDF-XChange Viewer, Sumatra PDF and Nitro PDF Reader – the number of vulnerabilities has increased from 147 in 2015 to 289 in 2016. 

Dysfunctional software supply chain

However, even with an increase in available patches, there was a decrease in patch rates – a clear indicator that the software supply chain in indeed broken.  This is yet another example of how the dysfunctional software supply chain continues to endanger enterprises.  Organisations absolutely need to obtain proper alerts associated with the security of the applications they have installed. 

Thankfully, there is an answer. 

Software vulnerability management

Software Vulnerability Management helps enterprises combat these hackers head on, enabling companies to not only have access to accurate vulnerability alerts and patches that are available – but those that affect their environment – without having to rely on vendors’ alerts and notifications or proactively go out to all their vendors’ sites to – hopefully – find them. Software Vulnerability Management, via three basic steps, also helps organisations identify vulnerable applications and systems in their environments so they can be prioritised, and remediate the problem via integrated patch management. 

The best thing about Software Vulnerability Management is that it is preventative.  Most successful cyberattacks use known vulnerabilities to gain access or escalate privileges inside corporate IT infrastructures.  Once hackers have successfully exploited a vulnerability, they have a base to roll out their attack – moving around systems, gathering information and deploying malware (an umbrella term referring to a variety of hostile or intrusive software including computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware and other malicious programs) to steal or terminate business-critical information or cause disruption. The 2014 Heartbleed vulnerability is a case in point. 

Three years ago, the Heartbleed vulnerability in the OpenSSL cryptographic library sent the software industry and companies around the world into a panic. Software developers didn't know enough about the open source components used in their own products to understand whether their software was vulnerable — and customers using that software didn't know either.

We simply can’t ignore that as software gets smarter, so do the criminals.  Technology is only going to continue to advance, but as we have seen, innovation almost always comes with inherent risks.  Enterprises need to be good corporate citizens and take reasonable precautions now, to help ensure their software does not become easy prey for criminals.

Vincent Smyth is Senior Vice President EMEA at Flexera Software
Image Credit: Flexera