Vulnerability Management The Limitations of Traditional Network-Based Vulnerability Scanning – And the Systematic Underestimation of Software Risks

NetRise research reveals traditional vulnerability scanners significantly underreport software risks. Learn how comprehensive software visibility can enhance vulnerability management.

Recent NetRise research found that vulnerability risks are, on average, 200 times greater than what traditional network-based vulnerability scanners report!

For years, traditional network-based vulnerability scanning has been a cornerstone of cybersecurity efforts for enterprise organizations. These scanners have played a critical role in identifying potential security weaknesses by analyzing network traffic and detecting known vulnerabilities in devices based on their make, model, and firmware versions. While these tools have been indispensable, they also have significant limitations that leave organizations vulnerable to hidden software risks.

As the cybersecurity landscape evolves, it is becoming increasingly clear that traditional vulnerability scanning methods are inadequate for addressing the complex and dynamic nature of modern software environments. This blog explores the limitations of these traditional methods, highlights findings from the NetRise Supply Chain Visibility & Risk Study, and discusses steps organizations can take to achieve comprehensive software visibility and better manage their vulnerability risks.

The Importance of Vulnerability Risk Management

Vulnerability risk management is a crucial component of any robust cybersecurity strategy. It involves identifying, assessing, and mitigating vulnerabilities to reduce the attack surface and protect against potential threats. Effective vulnerability risk management helps organizations prioritize their security efforts, allocate resources efficiently, and minimize the likelihood of successful cyberattacks.

By systematically identifying and addressing vulnerabilities, organizations can reduce their exposure to threats and improve their overall security posture. However, achieving this requires accurate and comprehensive visibility into all software components and their associated risks. Something traditional network-based vulnerability scanning cannot and does not provide.

Why Do Traditional Network-Based Scanners Underreport Software Vulnerabilities?

Traditional network-based vulnerability scanners can under report the extent of software vulnerabilities due to inherent limitations in their approach. These scanners typically perform surface-level assessments, focusing on known vulnerabilities associated with device make and model names, and possibly firmware versions. They rely on looking up the make, model, and firmware in existing vulnerability databases to generate a list of known vulnerabilities specifically reported for these devices.

However, this approach fails to account for vulnerabilities in deeply embedded software components and third-party libraries that make up the device's firmware and software stack. Vulnerability scanning from the outside cannot discover these detailed software components and libraries in the code, and thus cannot report on known vulnerabilities for the device that is running those software components.

The difficulty in getting to the entire software stack SBOM (Software Bill of Materials) and corresponding vulnerabilities has led to an attitude of acceptance throughout the industry when it comes to the risk these devices and software can pose in the network. This must change. Organizations need to adopt automated software analysis methods that provide a comprehensive and granular view of all software components and risks, complementing existing vulnerability scanning processes and helping prioritize the full list of vulnerabilities for security teams.

Examples of the Underreporting of Software Vulnerabilities

The most concerning finding from the recent NetRise Supply Chain Visibility & Risk Study is the significant underestimation of software vulnerability risks in networking equipment. The research uncovered that vulnerability risks are, on average, 200 times greater than what traditional network-based vulnerability scanners report. This discrepancy highlights a critical blind spot in current cybersecurity practices.

Read more in the NetRise Supply Chain Visibility and Risk Study, Edition 1: Networking Equipment; Q3 2024


Implications of Underestimation

This finding is particularly concerning because it means organizations have a false sense of security, believing their systems are more secure than they actually are. This false sense of security can lead to inadequate risk management practices and unpreparedness for potential attacks. The study underscores the urgent need for comprehensive software visibility because, without detailed insights into the entire software stack and their vulnerabilities, organizations cannot effectively prioritize and mitigate risks.

The implications of underestimating software vulnerabilities are far-reaching and severe:

  • False sense of security:

Incomplete scanning provides a false sense of security, leading organizations to believe they are more protected than they are. This can result in complacency and a lack of urgency in addressing critical vulnerabilities. At a minimum, organizations should understand their risk levels, even if all they do is explicitly acknowledge and accept these risks. 

  • Unaddressed risks and vulnerabilities:

Undetected vulnerabilities remain unaddressed, leaving systems exposed to potential exploits. These hidden vulnerabilities can be exploited by attackers, leading to significant security breaches.

  • Increased risk of exposure to software supply chain cyberattacks

Undetected threats can have substantial financial and operational impacts, especially if the company is hit with a complex to respond to and remediate supply chain cyber-attack.

 

Steps to Address the Limitations

To address these challenges, organizations must prioritize achieving comprehensive software visibility. The findings from the NetRise study underscore the critical importance of having a detailed understanding of all software components within the supply chain. Here are some basic steps companies should consider:

1. Generate comprehensive SBOMs

Creating detailed software bills of materials (SBOMs) is the foundation of effective supply chain security. SBOMs provide a clear inventory of all software components, including third-party libraries and dependencies. This inventory is essential for identifying and managing risks effectively.

2. Implement automated software risk analysis

Traditional network-based vulnerability scanners often underreport vulnerability information as we’ve seen. By augmenting these scans with detailed software risk analysis methods, companies can uncover a much more complete risk picture, ensuring a more thorough risk assessment. Automated tools can help generate and analyze SBOMs, providing continuous and up-to-date visibility.

3. Prioritize risk management

Once comprehensive visibility is achieved, organizations should prioritize vulnerabilities based on factors beyond CVSS scores, such as weaponization and network accessibility. This approach ensures that the most critical threats are addressed first. Feeding this vulnerability information into existing security operations center (SOC) tools ensures it is widely available and actionable.

4. Continuous monitoring and updating

Supply chain security is not a one-time effort. Continuous monitoring of software components is essential to stay ahead of emerging threats. Companies should establish processes for ongoing vulnerability assessment and remediation, ensuring that their software inventory is always current, and risks are continuously managed.

By focusing on these steps, organizations can significantly enhance their supply chain security processes, mitigate risks more effectively, and protect their critical assets.

Conclusion

The limitations of traditional network-based vulnerability scanning methods are becoming increasingly apparent in today’s complex cybersecurity landscape. These methods often fail to provide a complete picture of the vulnerabilities within an organization’s software environment, leading to a false sense of security and unaddressed risks. To address these challenges, organizations must adopt more robust vulnerability assessment strategies that include comprehensive software visibility and detailed risk analysis.

By generating comprehensive SBOMs, implementing automated software risk analysis, prioritizing risk management, and maintaining continuous monitoring and updating, organizations can significantly improve their vulnerability management practices and protect against evolving threats. The key takeaway is clear: comprehensive software visibility is essential for effective cybersecurity. Organizations cannot secure what they cannot see, and achieving detailed visibility into all software components is the first step towards a robust and resilient security strategy.

Originally published August 29th, 2024, updated August 29th, 2024.