One of the most vital things to get right in application security is dependency management, and to achieve this, your suite of AppSec tools must be up to date. This means that your vulnerability scanning, detection, and remediation capabilities must be able to identify and address the newest and most exploited vulnerabilities.
Do you know what these vulnerabilities are? Have you got them covered?
With the help of some of the world’s leading cybersecurity authorities, you can be. To find out how, read on.
The Feds and the Five Eyes are looking out for you and your AppSec
The Five Eyes (FVEY) intelligence alliance has released a list of the top twelve most exploited vulnerabilities in 2022, in a new joint cybersecurity advisory published August 2023. The alliance involves the following federal and national cybersecurity agencies:
United States: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI)
Australia: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
Canada: Canadian Centre for Cyber Security (CCCS)
New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)
United Kingdom: National Cyber Security Centre (NCSC-UK)
2022’s top 12 is dominated by vulnerabilities in Microsoft (4), VMWare (2), and Atlassian (2) software, plus software by Fortinet, Zoho, F5 Networks, and Apache. These include:
Fortinet’s FortiOS and FortiProxy SSL VPN credential exposure critical (CVSS 9.1) vulnerability CVE-2018-13379, which has been on the list since 2018
Microsoft’s Exchange Server Proxy Shell remote code execution (RCE) CVE-2021-34473, Security Feature Bypass CVE-2021-31207, privilege escalation CVE-2021-34523, and its RCE vulnerability CVE-2022-30190
VMWare’s Workspace ONE Access and Identity Manager remote code execution (RCE) CVE-2022-22954 and Improper Privilege Management CVE-2022-22960 flaws
This new list shows that hackers prefer to exploit older, unpatched security flaws more frequently than recently disclosed vulnerabilities. They prefer developing exploits for prevalent CVEs and they like to target unpatched, internet-facing systems, usually within the first two years of public disclosure, after which, the software is often patched or upgraded. And they prioritize vulnerabilities that are more prevalent in their specific targets’ networks.
What should you do to ensure you’re protected?
The most important action you can take is preventive: regularly update and patch your software components and dependencies. To that end, CISA advises that vendors and developers ensure that their software, its components, and dependencies are secure by design and default by doing the following:
Identify repeatedly exploited classes of vulnerability, with an analysis of both CVEs and known exploited vulnerabilities
Implement appropriate mitigations to eliminate those classes of vulnerability
Ensure business leaders are responsible for security
Follow the U.S. National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF), recommendations for mitigating the risk of software vulnerabilities, SP 800-218, and implement secure design practices into each stage of the software development lifecycle (SDLC)
Prioritize secure-by-default configurations such as eliminating default passwords, implementing single sign-on (SSO) technology via modern open standards, and providing high-quality audit logs to customers with no additional configuration and at no extra charge
Ensure published CVEs include the proper CWE field identifying the root cause of the vulnerability to enable industry-wide analysis of software security and design flaws.
CISA then advises end-user organizations to conduct the following
Timely update software, operating systems, apps, and firmware on IT network assets
Prioritize patching known exploited vulnerabilities, then critical and high vulnerabilities that allow for RCE or denial-of-service on internet-facing equipment.
Replacing end-of-life software
Routinely performing automated asset discovery to identify and catalog all systems, services, hardware, and software
Implement a robust patch management process
Document secure baseline configurations for all IT/OT components, including cloud infrastructure
Perform regular secure system backups and create known good copies of all device configurations for repairs and/or restoration.
Maintain an updated cybersecurity incident response plan
2. Identity and access management
Enforce phishing-resistant multifactor authentication (MFA) for all users
Enforce MFA on all VPN connections.
Regularly review, validate, or remove privileged accounts
Configure access control under the principle of least privilege
3. Protective controls and architecture
Secure internet-facing network devices, disable unused or unnecessary network ports and protocols, encrypt network traffic, and disable unused network services and devices
Implement zero-trust network architecture to limit or block lateral movement by controlling access to applications, devices, and databases
Continuously monitor the attack surface and investigate abnormal activity that may indicate cyber actor or malware lateral movement
Use security tools, such as vulnerability scanning and remediation solutions
Use web application firewalls to monitor and filter web traffic, to detect and mitigate exploitation attempts when a malicious web request is sent to an unpatched device
Implement an administrative policy and/or automated process to monitor unwanted hardware, software, or programs against an allowlist
Use a network protocol analyzer to examine captured data, including packet-level data
When using third-party applications, ensure contracts require vendors and/or third-party service providers to:
Provide notification of security incidents and vulnerabilities
Supply a Software Bill of Materials (SBOM) with all products to enhance vulnerability monitoring and to help reduce time to respond to identified vulnerabilities
Demonstrate how they are working to remove classes of vulnerabilities and to set secure default settings.
What tools can you use to protect yourself from these vulnerabilities?
You need to scan, detect, and fix vulnerabilities by using tools that can integrate into your development workflow, prioritize genuine threats, and automatically remediate issues, to make your AppSec and dependency management as simple and seamless as possible.
Ideally, use a platform that can perform all of these steps for both open source components and dependencies, and proprietary code, giving you the capability to:
Adam Murray is a content writer at Mend. He began his career in corporate communications and PR, in London and New York, before moving to Tel Aviv. He’s spent the last ten years working with tech companies like Amdocs, Gilat Satellite Systems, Allot Communications, and Sisense. He holds a Ph.D. in English Literature. When he’s not spending time with his wife and son, he’s preoccupied with his beloved football team, Tottenham Hotspur.