New research finds that unidentified software risks are 200 times greater than anticipated.
AUSTIN, Texas, July 24, 2024 - NetRise, the company providing granular visibility into the world's software — helping companies inventory and control software assets and detect and respond to software risks — today announced its newest report Supply Chain Visibility & Risk Study, which analyzes software compositions, vulnerability risks, and non-CVE risks that exist in the software of enterprise networking equipment. The report delves into the scope and scale of software components and software risks across five classes of networking equipment: routers, switches, firewalls, VPN gateways, and wireless access points.
"From third party software to open source, applications, containers and device firmware, organizations rely on a complex array of software to power their networking equipment," said Thomas Pace, CEO of NetRise. "This comes with hidden dangers that many security professionals are unaware of or do not fully understand. The reality is that every piece of software that an organization brings into its environment comes with risks, as evidenced by triple-digit increases in software supply chain attacks in this particular segment. The principle of "trust but verify" is business critical, and to get there, companies need visibility into all their software components and dependencies to mitigate risks."
Security teams struggle to respond to vulnerabilities, especially when embedded in software dependencies. Because software components have not been traditionally disclosed, their content is often opaque to teams trying to ascertain whether they are affected. In fact, according to Ponemon's 2024 The State of Software Supply Chain Security Risks, only 29% of organizations conduct post-build software dependency/artifact analysis to prevent malicious packages from impacting the software they build, buy, or use, and a mere 38% of respondents say budget and staffing dedicated to securing the software supply chain is 'sufficient' or 'very sufficient'. Adding to the challenges, according to Sonatype's ninth annual State of the Software Supply Chain report, the supply chain of open source and proprietary libraries is so complex that only 7% of respondents have attempted to review related risks.
The report's key findings include:
- Start with inventorying software to understand risks: Software is complex, so understanding risks starts with visibility into the software itself. For example, NetRise researchers compiled and interpreted code analysis to generate detailed SBOMs for the tested networking equipment and found that each device contained on average 1,267 software components.
- Detailed software analysis outperforms traditional network-based vulnerability scanning: NetRise found vulnerability risks are on average 200 times greater than the findings from traditional network-based vulnerability scanners. Additionally, NetRise researchers uncovered 1,120 known vulnerabilities in the underlying software components, with over one-third being 5 years or older.
- Do not rely solely on CVSS severity scores to prioritize risks : Over 42% of the 1,120 known vulnerabilities in each networking device are ranked Critical or High based on the CVSS Severity scores, which breaks down to 473 Critical and High vulnerabilities per networking device - more than any team can reasonably expect to respond to. Through detailed software analysis, NetRise uncovered on average 20 weaponized vulnerabilities per networking device, with only 7 weaponized vulnerabilities that are also network accessible.
The lack of transparency and trust within the software supply chain is business-critical for organizations worldwide. Bottom line, transparency into the contents of commercial software is essential. As a starting point, organizations need comprehensive visibility in their software to understand the scope, scale, and related risks. Advanced technology can provide organizations with much-needed insights to enrich and feed asset discovery, vulnerability management, and intrusion detection tools used within security operations with detailed SBOM development for all software, detection of vulnerabilities and non-CVE risks, and prioritization of all identified software supply chain risks.
To download the full report, visit: NetRise Supply Chain Visibility & Risk Study
Methodology
NetRise analyzed the software on 100 networking equipment devices, focusing on five device classes: routers, switches, firewalls, VPN gateways, and Wireless APs. The following steps outline the research process:
Software Bill of Materials (SBOM) Analysis: To gain complete visibility into the software components running on devices, researchers used the NetRise Platform to generate detailed SBOMs for each device class. This involved identifying all software components, including third-party libraries and dependencies, to understand the complete software stack.
Vulnerability and Non-CVE Risk Assessment: To evaluate device risk, considering both known vulnerabilities (CVEs) and non-CVE risks, researchers used the NetRise Platform to identify vulnerabilities listed in the CVE database, and non-CVE risks, such as misconfigurations, outdated components, and potential security flaws not yet publicly disclosed.
Comparison with Traditional Network Based Vulnerability Scanning: To benchmark NetRise Platform's findings against results from traditional vulnerability scanning methods, researchers used traditional vulnerability scanners and NVD results as a baseline, comparing the comprehensive risk assessments provided by the NetRise Platform. This highlighted discrepancies and underscored the need for an 'inside-out', SBOM-based analysis approach.
About NetRise
Based in Austin, Texas, NetRise was built by defensive cyber experts bred across the private sector, intelligence community, and U.S. federal government to solve the software supply chain security problem. The company is partnering with companies across manufacturing, automotive, medical devices, industrial control systems, satellites, and many more. https://www.netrise.io/
Media Contact:
Michelle Yusupov
Hi-Touch PR
443-857-9468
yusupov@hi-touchpr.com
SHARE