TRENDING
For a vulnerability in an open source library to be exploitable , there must be , at minimum , a call path from the application to the vulnerable function in that library . The Endor Labs report finds this to be true in fewer than 9.5 % of all vulnerabilities in the seven languages explored – Java , Python , Rust , Go , C #, . NET , Kotlin and Scala .
Therefore , reducing the number of remediation activities needed can slash remediation costs by over 90.5 %. Perhaps best of all , this is done with just this one prioritization factor , which makes it by far the most valuable single noise-reduction strategy available anywhere . databases do not contain any code-level vulnerability information at all ; 51 % contain one or more references to fix commits ; and only 2 % contain information about affected functions .
This is a serious drawback because the application of program analysis techniques requires code-level information about vulnerabilities , such as the names of affected functions or the fix commits that were developed by open source project maintainers to overcome a vulnerability . Without this kind of information , it ’ s effectively impossible to establish whether known-vulnerable functions can be executed in the context of a downstream application .
The research also turns a spotlight on the speed of response to emerging risks . It reveals that nearly 70 % of vulnerability advisories are published after the corresponding security release , with a median delay of 25 days . This increases the existing window of opportunity for attackers to exploit vulnerable systems .
In this challenging environment , there are several context-based strategies that deserve attention , such as excluding vulnerabilities that are only relevant for non-production code . However , even different combinations of these approaches are not as crucial as function-level reachability .
The problems go even deeper : Across six ecosystems explored , 47 % of advisories in public vulnerability
The Endor Labs report offers deep insights on a range of issues vital for supply chain security .
20 INTELLIGENTCIO LATAM www . intelligentcio . com