There’s no such thing as a piece of software with zero bugs. No matter how much user-testing is carried out, achieving completely bug-free software is virtually impossible, especially when it comes to larger applications. Bugs can be annoying, but where they get really problematic is when they become vulnerabilities, meaning a bug that can be exploited for nefarious purposes.
Unfortunately, while the problems resulting from vulnerabilities continue to be highly publicized, the problem is getting worse. 2020 broke records as being the year with a highest number of reported vulnerabilities. For those without proper preventative measures in place, such as Web Application Firewalls (WAF), this poses a major threat.
More vulnerabilities than ever
The statistic about 2020’s record year (in all the worst ways) comes from data gathered by the United States’ National Institute of Standards and Technology (NIST), a non-regulatory agency of the U.S. Department of Commerce. Analysis of NIST’s data uncovered 18,103 vulnerabilities disclosed in 2020, of which more than half (10,342, for to be exact) were classified as either high or critical in terms of their severity. The number of security loopholes falling under this category was higher than the total vulnerabilities disclosed one decade earlier in 2010.
Software vulnerabilities can have dire consequences. They could, for instance, be used for elevation of privilege, in which a hacker breaks into a system and then elevates their access to administrator or some other senior level. This allows them to seize control of computers for malicious purposes. They might alternatively — or additionally — exploit vulnerabilities so as to gain access to confidential information such as customer data.
Most developers are quick to act when it comes to patching vulnerabilities as they’re discovered in software. While the ideal scenario is for a company to issue bug-free software in the first place, as noted this is extremely difficult (if not totally out of the question) to do.
As a secondary measure, devs therefore try and spot bugs or vulnerabilities before they can be identified by would-be cyber attackers. They might discover these bugs themselves or through security researchers, who are often rewarded through a so-called bug bounty program. Developers can then create a fix for these flaws, and push them out to customers. This approach is a bit like a homeowner checking for loose windows or forcible doors on their own property, and then fixing them, before they can be exploited by a potential burglar.
The challenge with patches
This works well in many situations. However, there are potential exceptions. One is in the event that the developer is unscrupulous and slow to react, even when they are aware that a potential vulnerability exists. Rather than fixing it themselves, or hiring someone to do it for them, they might just sit by and do nothing.
Another possible exception involves zero-day vulnerabilities. These are vulnerabilities which have not yet been disclosed to developers and are therefore unknown to them. The term “zero day” refers to the number of days that the developer or vendor has had to fix a vulnerability prior to it being exploited in the wild.
The third and, perhaps, most commonplace exception involves the challenges associated with patching software. For a patch to work, it has to be installed by affected users. To return to the homeowner analogy, it’s the difference between knowing that a certain window in your house is loose and actually taking the time to fix it.
Developers today make it easy for patches to be installed, by making them freely available over-the-air to customers. But not every customer will install them right away. Keeping on top of the vast number of vulnerabilities and ensuing security patches released is virtually a full-time job. In a surprisingly large number of cases, users will be aware of vulnerabilities they face prior to an attack taking place; they just won’t have gotten around to actually installing the patch in question.
This is likely to be especially true for businesses, which may use a far greater number of software packages and be wary of the downtime that might result from updating widely used applications. With so many patches to deal with, many businesses will try and prioritize them based on the ones that seem most critical at that juncture. Overstretched cybersecurity teams cannot keep up with patching, thereby leaving organizations vulnerable to exploitation.
Invest in the right tools to help
As challenging as it might be, the best advice is to try and keep abreast of security vulnerabilities and the patches that fix them. But it’s also a smart idea to invest in the right cybersecurity tools to help. Web Application Firewalls (WAFs) and Runtime Application Self-Protection (RASP) tools can help to mitigate possible incoming threats that might accompany vulnerability exploitation. This means detecting and blocking malicious inputs as well as request payloads.
Stopping cyber attacks in their tracks isn’t easy. Cyber attackers have one job they’re focused on: Finding ways to exploit vulnerabilities to make your life tougher. Businesses, on the other hand, have many things they need to focus on, meaning that these kinds of preventative measures frequently get prioritized less than they should.
That’s understandable, but something it’s crucial to change. If 2020 was the year in which there were more reported vulnerabilities than ever, make 2021 the year in which you did something about it.