Cybersecurity Gaps in Scanning and Patching Vulnerabilities in Software | SPONSORED
Current strategies of scanning for and patching vulnerabilities in software leave a huge and highly-exploitable security gap.
Recent research by RunSafe Security partners show that current strategies of scanning for and patching vulnerabilities in software leave a huge and highly-exploitable security gap. When measured against NIST CVEs (Common Vulnerability Enumerations from the National Vulnerability Database), the researchers found that:
- Memory vulnerabilities are the most frequent CVEs reported in the database, making up 40% of the total, and are ranked as the #1 software weakness in MITRE’s current CVE rankings.
- 59% of these memory CVEs have exploits available.
- They produce the highest CVSS consequence scores, in the 7.2 to 9.8 out of 10.0 (the High and Critical ranges), in NIST’s Common Vulnerability Scoring System. In layman’s terms these are the vulnerabilities that, if exploited, can cause the most damage to an organization.
- Only 2.5% (15 of 592) of all Linux CVEs are currently detected by scanning tools, leaving a massive 97.5% security gap.
Cybersecurity for Scanning and Patching
Does this mean scanning and patching are no longer relevant? Obviously they are – they are essential foundation elements for effective cyber security and hygiene.
What it does mean is that other solutions are required to fill the gap, to mitigate vulnerabilities before they are detected, reported, or patched. RunSafe calls this category “software immunization,” by which code can be inoculated against vulnerabilities before deployment. We believe this “third leg of the stool” is an essential new approach that can increase software security by a full order of magnitude, and in many specific use cases completely eliminate the most dangerous weakness in software today, memory-based vulnerabilities.
According to Thomas Scanlon at Carnegie Mellon’s Software Engineering Institute, “84% of software breaches exploit vulnerabilities at the application layer”. This has driven an entire domain of application security testing tools and techniques.