Why Vulnerability Scanning Alone Is Not Enough to Keep Your Software Secure
If your current software security testing does vulnerability scanning, congratulations. You are addressing the known vulnerabilities, some of which may be exploited against your software in a future attack.
Unfortunately, you are only addressing the known vulnerabilities and missing the bigger picture, which are the unknown vulnerabilities. That’s where the zero days live. And that’s why you need to do defect testing too.
Perhaps it’s best to start by defining some terms.
Defects, Vulnerabilities, and Exploits … oh, my!
Defects are common. Application Security Software will parse through the source code or monitor the runtime operation of your application. In general, both methods will identify defects in the application. A lot of these defects are trivial and easily resolvable. A few, however, are vulnerabilities. And a few of these vulnerabilities are exploitable today.
Vulnerabilities are defects that can cause damage. A few caveats: just because a defect isn’t a vulnerability today doesn’t mean it won’t become one later. Vulnerabilities need to be identified and corrected. So how do we identify these vulnerabilities?
- Common Weakness Enumeration (CWE) is a set of conditions that have been identified as potentially causing a vulnerability. For example, CWE-763 is titled “Release of Invalid Pointer or Reference”. What that means is that “the application attempts to return a memory resource to the system, but calls the wrong release function or calls the appropriate release function incorrectly.”
- Common Vulnerabilities & Exposures (CVE) is a specific list of identified and confirmed vulnerabilities. Often, these are available with a workaround or patch from the vendor. Since they are known and exploitable, CVEs are given Common Vulnerability Scoring System (CVSS) numbers as a method used to supply a qualitative measure of severity. These can be adjusted in severity based on your organization’s own criteria. For example, CVE-2014-0160 (aka Heartbleed) had an initial CVSS of 5/10 (or medium). However, for those using ecommerce and financial systems, the CVSS of Heartbleed was closer to a 10/10.
Vulnerability scanning is just that: it takes a list of known weaknesses or known vulnerabilities and it compares that list to your software. Defect testing, then, is dynamic in that it vigorously exercises the defects to prove that they are important. Defect testing helps eliminate if not greatly reduce the number of false positives that vulnerability scanning alone can produce.
So what, then, are Exploits?
Exploits are “weaponized” vulnerabilities and may consist of more than one of what’s called an “exploit chain”. “Weaponized” simply means that a program has been written to leverage the known vulnerability in the software, i.e. make it actionable.
Often a bad actor will chain together seemingly harmless vulnerabilities that, when executed together, are exploitable on a given system. That’s why it’s important to find all the defects in a system—whether they are known or unknown vulnerabilities.
The Mayhem Difference
The current application security market is very reactive. Tools like Static Analysis Security Testing (SAST) and Software Composition Analysis (SCA) look for known weaknesses and known vulnerabilities and exposures. While this is good, you also need to consider that this methodology only represents a small portion of your total code. There’s a very large portion of your software that’s not being tested with vulnerability scanning alone.
Mayhem Tests for More
Mayhem, through the use of generational fuzz testing and symbolic execution, is a Dynamic Application Security Testing platform that exercises the rest of your code, autonomously generating new test cases that work the various paths through the code that isn’t being scanned by the current market tools.
Mayhem helps find potential vulnerabilities and potential zero days (meaning the vendor has had zero days to patch the vulnerability). Mayhem covers defect testing, vulnerability scanning, and more in one tool, taking each defect it finds and testing it three times to verify that it is in fact a vulnerability.
Development Speed or Code Security. Why Not Both?
Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.