AI assistants have transformed the way developers approach coding, making it easier to create basic applications and contributing to a surge in code repositories like GitHub. However, the ease of generating code also comes with its drawbacks, as it often leads to the creation of code with defects and vulnerabilities.
In response to the increasing volume of code submissions and the challenge of dealing with false positives, application-security teams working with large development groups are facing a growing number of application-vulnerability reports. According to a report by software-security firm Snyk, approximately 31% of teams find that the majority of reported vulnerabilities are false positives.
To address this issue, application-security teams are turning to reachability analysis as a key method for prioritizing remediation requests. By analyzing the reachability of imported code and determining if it is reachable by potential attackers, teams can focus on patching vulnerabilities that pose actual risks. This approach, highlighted by Joseph Hejderup of Endor Labs during the SOSS Community Day Europe 2024 conference in September, allows teams to prioritize their efforts more effectively.
Hejderup emphasized the importance of looking into the source code to determine whether specific vulnerable parts of a library are actually being used by an application. By doing so, teams can distinguish between code that is actively utilized and code that remains dormant, reducing the overall number of vulnerabilities that need to be addressed.
Static application security testing (SAST) tools continue to evolve and offer a proven return on investment, especially when used to identify software defects during the development phase. However, false positives can diminish the benefits of SAST tools and erode developer trust in their effectiveness. Finding ways to minimize the occurrence of false positives is crucial for maximizing the value of these tools.
According to a survey by Snyk, 61% of developers believe that the faster pace of development facilitated by automation has led to an increase in false positives. This underscores the need for strategies that can reduce the volume of vulnerabilities detected across multiple projects, making the remediation process more manageable. Randall Degges, head of developer relations for Snyk, highlighted the significance of reachability in filtering out non-executable code and focusing on genuinely exploitable vulnerabilities.
Studies have shown that companies can significantly reduce their remediation workload by excluding non-reachable code, with some applications utilizing only a fraction of the open-source code integrated into them. By combining reachability analysis with exploitability and business impact considerations, organizations can further streamline their security efforts and reduce the overall workload associated with addressing vulnerabilities.
Katie Teitler-Santullo, a cybersecurity strategist with OX Security, emphasized the importance of prioritizing and reducing noise in security tools to align with the speed of development. By refining vulnerability reports and focusing on critical issues, security teams can enhance collaboration with developers and maintain a more efficient workflow.
When it comes to reachability analysis, two primary approaches are commonly used. Static code analysis involves building graphs of function calls to determine executable code paths, while instrumentation involves runtime monitoring to identify executed functions. Both methods serve to identify reachable code and assess the potential exploitability of vulnerabilities within the application.
Looking ahead, companies are expected to adopt more advanced techniques for reachability analysis, filtering down to code that is not only reachable but also demonstrably exploitable. This evolution signifies a deeper level of scrutiny and sophistication in vulnerability management practices, aimed at enhancing the overall security posture of organizations in the face of evolving threats.