There’s no such thing as a perfect piece of software. But there’s a gulf of difference between a piece of software containing irritating bugs or lacking some features you’d like, and software that contains major dangerous vulnerabilities which could potentially be exploited by cyber attackers to cause major harm.
The problem with vulnerabilities is that it is a constantly shifting landscape. New pieces of software, or software updates, are released every day, and each of these invariably contains multiple flaws which, in some cases, can be leveraged by bad actors. At the same time, cyber attackers are always on the lookout for fresh attack vectors which they can use to enter systems or networks.
Protecting against these vulnerabilities should be a top priority for organizations. After all, a service being knocked offline even for a few seconds could mean huge numbers of missed transactions and dissatisfied customers. Business continuity matters – and application availability is a big part of that.
The problem is a tough one
Unfortunately, the vulnerability problem isn’t just consistent; it’s actually getting worse. One recent report by a cyber threat intelligence company noted that the total number of vulnerabilities detected during the first six months of 2022 was a whopping 11,860.
Not all of these will be devastating vulnerabilities, but even a small percentage falling into that category could be catastrophic. Furthermore, lists such as this aren’t limited to small name software vendors, but frequently include big names like Microsoft and Google, whose software is used by many millions of people all around the world.
What made this recent report extra terrifying is the fact that almost a third of the 11,860 vulnerabilities disclosed were reportedly not featured on the MITRE CVE (Common Vulnerabilities and Exposures) database. This public database is one of the most well-known repositories for uncovering information about software vulnerabilities and is even sponsored by the United States federal government, underscoring its importance. If it is accurate that this database is missing vulnerabilities, that could be bad news – and suggests the vulnerability problem is worse than many thought. Not least because it calls into question the possibility of having a complete, objective list of vulnerabilities.
The issue with patching
There’s one additional problem that makes software vulnerabilities a major threat. In most cases, software developers will quickly move to patch vulnerabilities when and where they arise. This is admirable, and shows their appreciation for the potential damage that vulnerabilities can cause – such as stolen customer data like passwords or credit card details.
But the issue is that software patches only work when and where they have been installed by users. In the event that they are not, the vulnerability will persist and can continue to be targeted by attackers. If a piece of software’s user base is large enough, attackers may continue to target patched vulnerabilities months down the line – knowing that even a small percentage of unpatched users amounts to a sizable number of possible targets or victims.
There may be multiple reasons for users failing to patch software. In some cases, it might be ignorance of the possible problem or just not sufficiently caring about security. However, in many cases it’s more likely to be due to the ongoing challenge of patching software: limited time.
Staying on top of the latest vulnerabilities may represent a full-time job for multiple parties at an organization – and even then flaws can still persist. Usually, companies will know that they are possibly vulnerable to an attack, but they will have still failed to address the problem. Databases like MITRE CVE try to make this task easier by advising on the severity of vulnerabilities (not all vulnerabilities pose an equal threat). Nonetheless, for an organization using dozens of pieces of software, and potentially suffering downtime while updating any one of these, it’s a tough task.
No single source of truth?
News that different tracking organizations list different numbers of vulnerabilities each year is likely to cause even more anxiety. After all, if there’s no single source of truth when it comes to software vulnerabilities, what should organizations look to protect against? Fortunately, help is at hand.
While it may be impossible (or very difficult) for companies to know about all vulnerabilities they face, tools like Web Application Firewalls (WAFs), Web Application and API Protection (WAAP), and Runtime Application Self-Protection (RASP) can be used to virtually patch vulnerabilities. Instead of traditional software patching, virtual patching works by looking for potential bad or suspect behavior that could suggest a cyberattack and then stopping it in its tracks.
It’s one of the best ways to safeguard against the threat of vulnerabilities. Although vulnerabilities may be a problem that won’t ever be solved across the board, at least solutions like this make it much easier for organizations to stay on top of things. Given the potential risk, that’s one of the smartest moves you can make.
Alexia is the author at Research Snipers covering all technology news including Google, Apple, Android, Xiaomi, Huawei, Samsung News, and More.