One of the most vital things to get right in application security is dependency management, and to achieve this, your suite of AppSec tools must be up to date. This means that your vulnerability scanning, detection, and remediation capabilities must be able to identify and address the newest and most exploited vulnerabilities.
Do you know what these vulnerabilities are? Have you got them covered?
With the help of some of the world’s leading cybersecurity authorities, you can be. To find out how, read on.
The Feds and the Five Eyes are looking out for you and your AppSec
The Five Eyes (FVEY) intelligence alliance has released a list of the top twelve most exploited vulnerabilities in 2022, in a new joint cybersecurity advisory published August 2023. The alliance involves the following federal and national cybersecurity agencies:
United States: The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Federal Bureau of Investigation (FBI)
Australia: Australian Signals Directorate’s Australian Cyber Security Centre (ACSC)
Canada: Canadian Centre for Cyber Security (CCCS)
New Zealand: New Zealand National Cyber Security Centre (NCSC-NZ) and Computer Emergency Response Team New Zealand (CERT NZ)
United Kingdom: National Cyber Security Centre (NCSC-UK)
This new list shows that hackers prefer to exploit older, unpatched security flaws more frequently than recently disclosed vulnerabilities. They prefer developing exploits for prevalent CVEs and they like to target unpatched, internet-facing systems, usually within the first two years of public disclosure, after which, the software is often patched or upgraded. And they prioritize vulnerabilities that are more prevalent in their specific targets’ networks.
What should you do to ensure you’re protected?
The most important action you can take is preventive: regularly update and patch your software components and dependencies. To that end, CISA advises that vendors and developers ensure that their software, its components, and dependencies are secure by design and default by doing the following:
Identify repeatedly exploited classes of vulnerability, with an analysis of both CVEs and known exploited vulnerabilities
Implement appropriate mitigations to eliminate those classes of vulnerability
Ensure business leaders are responsible for security
Follow the U.S. National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF), recommendations for mitigating the risk of software vulnerabilities, SP 800-218, and implement secure design practices into each stage of the software development lifecycle (SDLC)
Prioritize secure-by-default configurations such as eliminating default passwords, implementing single sign-on (SSO) technology via modern open standards, and providing high-quality audit logs to customers with no additional configuration and at no extra charge
Ensure published CVEs include the proper CWE field identifying the root cause of the vulnerability to enable industry-wide analysis of software security and design flaws.
CISA then advises end-user organizations to conduct the following
Demonstrate how they are working to remove classes of vulnerabilities and to set secure default settings.
What tools can you use to protect yourself from these vulnerabilities?
You need to scan, detect, and fix vulnerabilities by using tools that can integrate into your development workflow, prioritize genuine threats, and automatically remediate issues, to make your AppSec and dependency management as simple and seamless as possible.
Ideally, use a platform that can perform all of these steps for both open source components and dependencies, and proprietary code, giving you the capability to:
Adam Murray is a content writer at Mend. He began his career in corporate communications and PR, in London and New York, before moving to Tel Aviv. He’s spent the last ten years working with tech companies like Amdocs, Gilat Satellite Systems, Allot Communications, and Sisense. He holds a Ph.D. in English Literature. When he’s not spending time with his wife and son, he’s preoccupied with his beloved football team, Tottenham Hotspur.