Vulnerability Management Today’s Lack of Software Visibility and the Implications

For the past decade, the focus in cybersecurity has largely been on hardware discovery and visibility. Organizations have made significant strides in identifying and managing their hardware assets, ensuring that every device connected to their networks is accounted for and secure. However, hardware visibility is only a starting point and an insufficient end game.

The spotlight is now shifting towards the new frontier of software discovery and visibility. In an era where software underpins nearly every aspect of business operations, being able to inventory and control software components within an organization's IT/OT/XIoT ecosystem is increasingly crucial. This blog explores the importance of software visibility, the current state of visibility practices, the implications of inadequate visibility, and steps companies can take to improve their software visibility.

The Importance of Software Visibility

Software visibility involves generating a comprehensive understanding and inventory of all the software components running within an organization's environment. This includes proprietary software, third-party libraries, open-source components, and any embedded software in hardware devices. For instance, a detailed software bill of materials (SBOM) provides a clear inventory of these components, much like a parts list you get with a piece of Ikea furniture.

The role of software visibility in identifying and managing risks cannot be overstated. By having a complete inventory of software components, organizations can adopt an inside-out approach to security. Afterall, vulnerabilities exist in software, so knowing what software components you have it the foundational starting point for vulnerability and risk management.

Rather than relying solely on traditional network-based vulnerability scans which can under report known vulnerabilities for embedded software by as much as 200 times, security teams can generate a complete list of CVE and non-CVE risks starting with exactly what software is running, what vulnerabilities exist, and how these vulnerabilities are being exploited.

Read more in the NetRise Supply Chain Visibility and Risk Study,
Edition 1: Networking Equipment; Q3 2024

The Current State of Software Visibility

The current state of software visibility is concerning. According to various surveys and research, including the NetRise study, many organizations lack comprehensive visibility into their software supply chains. In fact, only 7% of respondents to Sonatype’s ninth annual State of the Software Supply Chain report having made efforts to review security risks in their supply chains.¹

The NetRise study found that of the software on 100 different networking equipment devices analyzed across five classes of devices, namely: routers, switches, firewalls, VPN gateways, and Wireless APs, that the average device is quite complex and contains 1,267 software components. This is far greater visibility into software than most organizations have access to today.

Further, the study revealed 45 different Linux Kernel versions were in use, 60% of which were currently end-of-life. And for the 100 networking devices analyzed, there were 22,637 different software components, and if looking at the unique versions of those components, there were 35,683 unique software components/versions.

This is the level of software inventory and control we are talking about when we say a new era of software visibility is coming.

The 2017 Equifax breach is a real-world example that illustrates the consequences of software visibility gaps. In this instance, attackers exploited a known vulnerability in an open-source software component. Despite a patch being available, the vulnerability went unpatched due to a lack of software visibility into the software components used within Equifax. This breach resulted in the exposure of sensitive personal information of over 147 million individuals and cost Equifax hundreds of millions of dollars in damages and remediation efforts.

The Implications of Inadequate Visibility

Inadequate software visibility has far-reaching implications for organizations including:

1. Increased risk of undetected vulnerabilities and under reporting of vulnerabilities
   Without comprehensive software visibility, the majority of vulnerabilities remain undetected / unreported. The NetRise study highlighted that traditional vulnerability scanners miss a massive number of vulnerabilities, leading to an underreporting of risks and prioritization of the wrong risks. This leaves organizations exposed to serious software supply chain attacks.
   
   
2. Wasted security team efforts in patching and mitigating less important vulnerabilities
   If security teams lack visibility to the majority of their software vulnerabilities their patching and mitigation efforts are most likely completely misdirected and in the best case a complete waste of their time. This misallocation of effort is a travesty given how important it is to focus the limited resources of security teams’ time on the most impactful actions.
   
   
3. Increased risk of exposure to software supply chain cyberattacks
   The complexity and interconnectedness of modern software supply chains mean that a single vulnerability in a third-party component can have cascading effects. Inadequate software visibility makes it difficult to properly inventory and control software and to detect and respond to the most appropriate software risks, leaving organizations vulnerable to increasing supply chain cyberattacks.
   
   

Steps to Improve Software Visibility

To address these challenges, organizations must prioritize achieving comprehensive software visibility. The findings from the NetRise study underscore the critical importance of having a detailed understanding of all software components within the supply chain. Here are some basic steps companies should consider:

1. Generate comprehensive SBOMs
   Creating detailed software bills of materials (SBOMs) is the foundation of effective supply chain security. SBOMs provide a clear inventory of all software components, including third-party libraries and dependencies. This inventory is essential for identifying and managing risks effectively.
   
   
2. Implement automated software risk analysis
   Traditional network-based vulnerability scanners often underreport vulnerability information as we’ve seen. By augmenting these scans with detailed software risk analysis methods, companies can uncover a much more complete risk picture, ensuring a more thorough risk assessment. Automated tools can help generate and analyze SBOMs, providing continuous and up-to-date visibility.
   
   
3. Prioritize risk management
   Once comprehensive visibility is achieved, organizations should prioritize vulnerabilities based on factors beyond CVSS scores, such as weaponization and network accessibility. This approach ensures that the most critical threats are addressed first. Feeding this vulnerability information into existing security operations center (SOC) tools ensures it is widely available and actionable.
   
   
4. Continuous monitoring and updating
   Supply chain security is not a one-time effort. Continuous monitoring of software components is essential to stay ahead of emerging threats. Companies should establish processes for ongoing vulnerability assessment and remediation, ensuring that their software inventory is always current, and risks are continuously managed.

By focusing on these steps, organizations can significantly enhance their supply chain security processes, mitigate risks more effectively, and protect their critical assets.

Conclusion

The key takeaway is clear: you cannot secure what you do not see. Comprehensive software visibility is the starting point for any robust security strategy.

In today's complex and interconnected digital landscape, software visibility is no longer a luxury but a necessity. The lack of comprehensive visibility into software components poses significant risks, including undetected vulnerabilities, wasted security efforts, and increased exposure to supply chain attacks. By prioritizing software visibility, generating comprehensive SBOMs, implementing automated risk analysis, and maintaining continuous monitoring, organizations can build a strong foundation for their cybersecurity efforts.

The journey towards comprehensive software visibility may seem daunting, but it is a critical step in securing the software supply chain and protecting against the evolving threat landscape. As the NetRise study highlights, the implications of inadequate visibility are too severe to ignore. It is time for organizations to take proactive steps to improve their software visibility and safeguard their digital ecosystems.

Endnotes

1. 9th Annual State of the Software Supply Chain, Sonatype.

Originally published July 30, 2024, updated July 30, 2024.