“Is today’s software more vulnerable?” asks the European Union Agency for Network and Information Security (ENISA).
This question was posed shortly after researchers uncovered potentially industry-wide vulnerabilities in 4G LTE protocol, an incident that is far from exceptional. The National Vulnerability Database and the Common Vulnerabilities and Exposures database both recorded more than 6,000 new vulnerabilities in 2016 – a figure that pales in comparison to the 14,500 vulnerabilities discovered in 2017. ENISA adds that 2018 is on track for 24,000 disclosed vulnerabilities.
Why are more software vulnerabilities being disclosed?
- There are more Internet-connected devices and applications to be exploited. Property Update claims that 328 million new devices are connected to the Internet each month, from computers, tablets and phones to Internet of Things (IoT) devices. This has led to greater competition between software providers, and applications are being pushed into the marketplace before they are ready or by opportunistic developers with “relatively low maturity in software development and secure-coding skills”.
- The demand for interconnectivity, integration and platform compatibility makes software more complex, opening the door for vulnerabilities. ENISA notes that 80-90% of modern applications use open-source software components to address these demands, which exacerbates the problem. A Sonatype report found that 1 in 18 open-source components downloaded in 2017 had a known security vulnerability.
- Organisations are getting better at identifying vulnerabilities – or, to be more precise, there are more people informing organisations about vulnerabilities. The majority of software flaws are identified by outsiders, according to a report by Risk Based Security. Organisations often encourage outsiders to look for vulnerabilities by offering rewards.
- There are more cyber criminals looking for vulnerabilities, so it’s more likely that they will be discovered.
- Vendors are adopting ‘vulnerability-by-design’. This might be for malicious purposes, hidden commercial agendas or surveillance programmes.
- Many software designers use outdated system architectures, which are susceptible to attack. This is either due to oversight or to save money.
Mitigating software vulnerabilities
ENISA paints a pessimistic future for software providers, indicating that the rapid rise in security flaws is part and parcel of the growing technology industry. Although some problems are out of organisations’ control, there are ways to mitigate the risk of software vulnerabilities. For instance, all new software should be subject to a penetration test, in which a professional tester, working on behalf of the organisation, looks for vulnerabilities in the same way a criminal hacker would.
Penetration tests allow organisations to identify and address vulnerabilities before their products are released. This is more cost-effective than discovering the vulnerability later and having to patch the software, or worse yet, having a cyber criminal discover and exploit the vulnerability.
IT Governance is a CREST-accredited provider of penetration tests, and we offer a range of services to help organisations of all sizes manage their cyber security strategies.