The importance of reachability analysis in modern software composition analysis (SCA) has been highlighted in a recent report by Endor Labs. While SCA tools have been in use for some time, they have traditionally focused on common vulnerability scoring system (CVSS) severity scores. This approach makes sense, as most organizations prioritize vulnerabilities with High and Critical CVSS scores for remediation.
However, the flaw in this system is that a small percentage of Common Vulnerabilities and Exposures (CVEs) are actually exploited in the wild, according to sources like the Exploit Prediction Scoring System (EPSS). This means that organizations focusing solely on CVSS severity scores may be allocating resources to fix vulnerabilities that pose little actual risk because they are rarely exploited.
Although some scanning tools, including SCA, have started incorporating additional vulnerability intelligence such as CISA KEV and EPSS, many have not yet included deep function-level reachability analysis. This type of analysis goes beyond identifying known and likely exploited components to show which vulnerabilities are actually reachable and exploitable.
Endor Labs emphasized the significance of reachability analysis by stating, “For a vulnerability in an open-source library to be exploitable, there must at minimum be a call path from the application you write to the vulnerable function in that library.” In their analysis of customer data, they found that this condition was met in fewer than 9.5% of all vulnerabilities across the seven languages they examined: Java, Python, Rust, Go, C#, .NET, Kotlin, and Scala.
By incorporating reachability analysis into SCA, organizations can better prioritize remediation efforts and allocate resources effectively to address vulnerabilities that pose the highest risk of exploitation. This approach allows companies to focus on addressing vulnerabilities that are not only known and likely to be exploited but also reachable within their software code.
In conclusion, the integration of reachability analysis in modern software composition analysis is crucial for enhancing the effectiveness of vulnerability management strategies. By moving beyond traditional CVSS severity scores and incorporating deep function-level analysis, organizations can better protect their software applications from potential cyber threats. Ultimately, reachability analysis plays a vital role in ensuring that resources are allocated efficiently to address vulnerabilities that present the greatest risk to an organization’s security posture.