Because only 10% to 20% of imported code is typically used by a specific application, determining whether the code is reachable by an attacker — and thus likely exploitable — can dramatically reduce the number of vulnerabilities that need to be patched, says Joseph Hejderup, technical staff member at Endor Labs, who presented on the topic at SOSS Community Day Europe 2024 in September. In the face of growing volumes of code submissions and continuing problems with false positives, application-security teams are relying on reachability analysis as an important way to prioritize their remediation requests. "A lot of the frustration happens because tools aren't able to reduce the noise and focus in on the prioritization that developers need [in order] to move at the speed of development versus the speed of security," she says. "With software composition analysis — without looking into the code — we are essentially assuming that if you use this library, you're using all this functionality," Hejderup says. For application-security teams, finding ways to reduce the volume of vulnerabilities discovered in dozens or hundreds of projects into a more manageable burden is critical, says Randall Degges, head of developer relations for Snyk. In fact, nearly a third of teams (31%) find the majority of reported vulnerabilities are false positives, according to software-security firm Snyk's 2023 State of Open Source Security report. Overall, 61% of developers believe the faster cadence of development with automation has increased the number of false positives, according Snyk's 2023 State of Open Source Security report. Reporting fewer vulnerabilities back to developers can help reduce friction between the two groups, says Katie Teitler-Santullo, cybersecurity strategist with OX Security. For development teams awash in vulnerability reports, reachability analysis can help tame the chaos and offer another path to prioritize exploitable issues. Whether a vulnerability in the code can be exploited is another level of investigation, and Endor Lab's Hejderup expects companies to be able filter down to code that is reachable and provably exploitable as the next step. "This type of more advanced, sophisticated analysis would likely be the next level within reachability analysis," he says. Static code analysis focused on building graphs of the function calls in the applications and determining whether specific code may be executed.
This Cyber News was published on www.darkreading.com. Publication date: Mon, 30 Sep 2024 23:55:20 +0000