A recent study conducted by Endor Labs sheds light on potential vulnerabilities within open-source dependencies or software packages, emphasizing the importance of function-level reachability analysis in mitigating risks effectively. The findings suggest that while the costs associated with remediating dependency risks are alarmingly high, prioritizing vulnerabilities based on their exploitability can significantly reduce remediation costs by over 90.5%.
The research, which drew insights from Endor Labs vulnerability data, the Open Source Vulnerabilities (OSV) database, customer tenants’ information, and Java Archives (JARs) of top open source dependencies, focused on analyzing breaking changes across hundreds of versions of the top 15 dependencies. According to Darren Meyer, a staff research engineer at Endor Labs, many organizations struggle with managing dependency risks, as the influx of vulnerability alerts often leads to costly research efforts for security and software teams. Therefore, prioritizing vulnerabilities based on exploitability has emerged as a critical capability to address these challenges effectively.
One of the key highlights of the study is the revelation that fewer than 9.5% of vulnerabilities in the seven languages analyzed—Java, Python, Rust, Go, C#, .NET, Kotlin, and Scala—have a call path from the application to the vulnerable function in the library, making them exploitable. By reducing the number of remediation activities required, organizations can achieve significant cost savings in addressing vulnerabilities. In fact, a single prioritization factor focusing on exploitability emerged as the most valuable noise-reduction strategy available.
The research also underscored the importance of swift responses to emerging risks, noting that nearly 70% of vulnerability advisories are published after the corresponding security release, with a median delay of 25 days. This delay provides attackers with an extended window of opportunity to exploit vulnerable systems, highlighting the need for improved vulnerability disclosure processes.
Furthermore, the study identified shortcomings in existing vulnerability databases, with 47% of advisories lacking code-level vulnerability information and only 2% containing details about affected functions. This lack of granular information hinders the application of program analysis techniques to assess the risk posed by known vulnerabilities, emphasizing the importance of function-level reachability in vulnerability management.
In addressing supply chain security issues, the study emphasized the importance of prioritization in focusing on critical vulnerabilities. For instance, updating the top 20 components in the Python ecosystem to non-vulnerable versions could eliminate over 75% of all vulnerability findings. Similarly, identifying and remediating phantom dependencies and known-vulnerable code were highlighted as crucial steps in improving overall security posture.
Overall, the research findings advocate for a proactive approach to vulnerability management, leveraging function-level reachability analysis and prioritization strategies to effectively mitigate risks and reduce remediation costs. By addressing the root causes of vulnerability exploitation and bolstering supply chain security, organizations can enhance their resilience against evolving cyber threats.