Picture your software development team. You’ve finished a development sprint and are about to roll out a new set of features for your applications. These applications may be modern mobile-based or traditional browser-based ones, and you may have implemented a set of new software components (Docker containers, software libraries, etc.). However, unbeknownst to your team, this additional software has introduced a whole new set of vulnerabilities, both through the code developed by the in-house team and through those inherited by the additional software components (whether proprietary or open-source) that you recently implemented.

For each vulnerability, the clock begins: from the time that it is introduced unto the time that it is remediated (assuming that it is discovered in the first instance), your application remains exposed to attack. This period of exposure that each vulnerability introduces to an organization is known as the Window of Exposure (WoE), while the timeframe from when a vulnerability is discovered to when it is fully remediated is known as the Time to Fix (T2F).

Figure: The Window of Exposure and the Time to Fix.

Although the WoE and T2F sound similar in definition, they are both distinctively different and important metrics with which executives, risk managers, security practitioners, and software developers must quickly be familiarised due to today’s cyberthreat landscape. 

Understanding the Time and Risk Surface Challenges of AppSec

So how long do vulnerabilities really remain in applications?

In 2018, NowSecure, WhiteHat, and Coalfire reported a year-on-year increase in the number of serious vulnerabilities across all major industries, barring a few, with most industries being exposed to vulnerabilities for at least a year [1]. Even worse, industries such as Construction, Public Administration, Information, and Finance and Insurance were identified as being constantly exposed to at least 40% of their vulnerabilities. To be absolutely clear, 40% of their vulnerabilities were not remediated at all!

More recently, in 2019, Edgescan identified that the time to fix ‘critical’ application bugs can take as long as 215 days, while ‘high’ and ‘medium’ severity ones could take up to 323 days and 348 days, respectively.

They also found that “Web Application security is still the area of most risk from a security breach standpoint” [2].

So, what does this tell us?

Well, first, it tells us that in order to get a better grasp of these security metrics and where an organization stands with respect to them, it is important for decision-makers to understand their organization’s risk surface area. In particular, they need to know the applications and technologies that they use, their APIs, the vulnerabilities that they may possess, and where these vulnerabilities are likely to be located or arise in the future, both through static analysis and testing (e.g. reviewing code to identify errors and problematic libraries) and dynamic analysis and testing (e.g. live testing of applications and UX analysis to identify vulnerabilities that may be discovered in production).

Using AI to Shrink the Gap

As application research has found, vulnerabilities are being introduced into applications faster than they can be remediated [1,2]. Therefore, an organization’s risk or vulnerability surface area (distribution of vulnerabilities in their applications and services), their average WoE (the time in which vulnerabilities are present), and their average T2F (the time taken to fix an identified vulnerability) are three key metrics that can be leveraged to better position an organization against modern threats. Managing an organization’s risk surface may be an expensive but necessary task of wholly assessing and tracking their overall software portfolio, while, on the other hand, controlling the T2F window may be difficult as it is often limited by the complexity of the issue at hand and the availability of experienced software developers to remediate it. However, controlling the WoE is an area where automated and AI-powered detection technologies can make an immediate impact.

What separates the WoE and the T2F is the detectability of the vulnerability. If you can detect the vulnerability quicker, you can shrink the WoE and shift the T2F window so that developers can start seeking out solutions sooner rather than later. AI solutions are quickly making their mark in SIEM systems, alerting SecOps to (new) attacks quicker and more precision than older iterations, and, with this, providing a new capability for software developers to identify emerging and zero-day vulnerabilities that sophisticated attackers are constantly targeting.

Beyond shrinking an organization’s WoE, automated protection systems can also provide a first-line defense against attackers seeking out new and old vulnerabilities, quashing the most overtly anomalous traffic patterns (e.g. unusually high requests rates, illegal parameter matchings) and raising alerts on the suspicious for further monitoring by SecOps.

This year, 2020, is the start of a new decade. Let’s make it the year that we cut down our API exposure before the unthinkable happens.

[1] https://www.nowsecure.com/resource/2018-application-security-statistics-report/nowsecure-whitehat-2018-application-security-report-cover/
[2] https://www.edgescan.com/wp-content/uploads/2019/02/edgescan-Vulnerability-Stats-Report-2019.pdf