Ignoring the context doesn’t make sense
As time moves on, we are seeing fewer and fewer vulnerabilities that are exploitable without any preconditions. Library vulnerabilities will always have a code precondition (someone must use the library in a vulnerable manner) and daemon vulnerabilities are very unlikely to be exploitable in the default configuration, as that configuration is usually highly audited.
As we can see from our research results, the volume of non-applicable CVEs is simply staggering, even in a common use case and when using conservative, high-accuracy analysis techniques.
We believe these facts have been well understood by many security engineering professionals for a while now, since they are “in the trenches” each day trying to separate the wheat from the chaff. It’s time to move on from the completely manual approach and integrate better DevSecOps methodologies into the vulnerability remediation process.
Research is the heart of contextual analysis
Unfortunately, today it is still impossible to automatically define the rules needed for performing precise contextual analysis. Almost all vulnerability advisories lack formatted fields (or even free text) that provide the information needed for performing contextual analysis for each CVE. For example, what are the vulnerable functions or the vulnerable configuration of the affected component?
Generic techniques are possible, such as checking if the vulnerable library is even imported or checking whether the vulnerable service is actually started via runtime hooks. But these will never provide the needed accuracy that’s possible only with a per-CVE contextual scanner.
Among the much-welcomed pioneers in this field are the maintainers of the Go Vulnerability Database, where each security advisory also contains the list of vulnerable functions. Although this doesn’t solve 100% of the cases, it is an amazing start and we applaud them for cataloging this data.
JFrogJFrog’s contextual analysis is based on the daily work of JFrog’s security research team, which analyzes each new vulnerability on the same day it is disclosed, to provide the fastest and most accurate contextual analysis.
Contextual Analysis with JFrog Advanced Security
This research was powered by the new Container Contextual Analysis feature in JFrog Xray. This technology provides the ability to scan containers for the presence of malicious packages or use of vulnerable open-source code inside enterprise applications early in the development process. Container Contextual Analysis also details which open source vulnerabilities are actually exploitable in the context of a company’s own code, allowing developers to disregard or de-prioritize non-applicable incidents, which helps to sharpen focus and remediation efforts.
For additional information, please visit https://research.jfrog.com or follow @jfrogsecurity on Twitter.
A special thank you to David Fadida, Katriel Kaplun, and Michael Iline from the JFrog Security Research team, who helped with various parts of this research.
Shachar Menashe is senior director of JFrog Security Research. With more than 10 years of experience in security research, including low-level R&D, reverse engineering, and vulnerability research, Shachar is responsible for leading a team of researchers in discovering and analyzing emerging security vulnerabilities and malicious packages. He joined JFrog through the June 2021 acquisition of Vdoo, where he served as vice president of security. Shachar holds a B.Sc. in electronics engineering and computer science from Tel-Aviv University.
Jonathan Sar Shalom is the director of threat research at JFrog Security Research. Jonathan leads the threat research team in JFrog Security, specializing in vulnerabilities analysis, threat intelligence research, and automated threats detection.
Nitay Meiron is a junior security researcher at JFrog Security Research. Nitay is a graduate of Israel's national cyber education program, specializing in vulnerabilities and threat research.
—
New Tech Forum provides a venue to explore and discuss emerging enterprise technology in unprecedented depth and breadth. The selection is subjective, based on our pick of the technologies we believe to be important and of greatest interest to InfoWorld readers. InfoWorld does not accept marketing collateral for publication and reserves the right to edit all contributed content. Send all inquiries to newtechforum@infoworld.com.