TRENDING
These include :
• Pinpointing the Worst Offenders : Effective prioritization enables organizations to focus on less than 5 % of their total vulnerabilities . Within the Python ecosystem , for example , updating the top 20 components to non-vulnerable versions would remove more than 75 % of all the vulnerability findings . Results with the other languages are almost as good : Java 60 %, and npm 44 %. The component TensorFlow has the highest number of reported vulnerabilities , and since it ’ s often installed without manifest files , it underlines the importance of covering “ phantom dependencies ”.
• Phantom Dependencies and Other Trouble Spots : Among select customers scanned for this report , the share of Python phantom dependencies in the universe of dependencies ranges from 0 to 60 %. But here ’ s the most important finding : The share of vulnerabilities in those phantom dependencies ( in the total of vulnerabilities ) gets as high as 85 %. In this regard , ‘ rebundling ’ is a serious issue across ecosystems – thousands of Python and Java components rebundle binary code from other open source projects .
• Finding Known-Vulnerable Code : While identifying connections between apps and vulnerabilities is at the core of strengthening security , numerous technical challenges make it hard to link one to the other within their dependencies . However , building databases that cover this kind of dependency identification , particularly with regard to the quality of given vulnerabilities , is key to avoiding false positives and false negatives .
• Remediating known vulnerabilities : 24 % of 1250 updates from vulnerable to non-vulnerable component versions ( published by the 15 most problematic libraries after 2016 ) require a major version update , while 6 % of 1,250 updates can be done by updating the minor or patch version .
In terms of overall solutions , using the Exploit Predictability Scoring System ( EPSS ) as a prioritization tool is a strong second-order activity .
With this option , 80 % of reachable vulnerabilities have a 1 % or less predicted chance of being exploited . p
www . intelligentcio . com INTELLIGENTCIO LATAM 23