New research finds that unidentified software
risks are 200 times greater than anticipated
AUSTIN,
Texas, July 24, 2024 /PRNewswire/
-- NetRise, the company providing granular visibility into the
world's software — helping companies inventory and control software
assets and detect and respond to software risks — today announced
its newest report Supply Chain Visibility & Risk Study, which
analyzes software compositions, vulnerability risks, and non-CVE
risks that exist in the software of enterprise networking
equipment. The report delves into the scope and scale of software
components and software risks across five classes of networking
equipment: routers, switches, firewalls, VPN gateways, and wireless
access points.
"From third party software to open source, applications,
containers and device firmware, organizations rely on a complex
array of software to power their networking equipment," said
Thomas Pace, CEO of NetRise. "This
comes with hidden dangers that many security professionals are
unaware of or do not fully understand. The reality is that every
piece of software that an organization brings into its environment
comes with risks, as evidenced by triple-digit increases in
software supply chain attacks in this particular segment. The
principle of "trust but verify" is business critical, and to get
there, companies need visibility into all their software components
and dependencies to mitigate risks."
Security teams struggle to respond to vulnerabilities,
especially when embedded in software dependencies. Because software
components have not been traditionally disclosed, their content is
often opaque to teams trying to ascertain whether they are
affected. In fact, according to Ponemon's 2024 The State of
Software Supply Chain Security Risks, only 29% of organizations
conduct post-build software dependency/artifact analysis to prevent
malicious packages from impacting the software they build, buy, or
use, and a mere 38% of respondents say budget and staffing
dedicated to securing the software supply chain is 'sufficient' or
'very sufficient'. Adding to the challenges, according to
Sonatype's ninth annual State of the Software Supply Chain
report, the supply chain of open source and proprietary libraries
is so complex that only 7% of respondents have attempted to review
related risks.
The report's key findings include:
- Start with inventorying software to understand risks:
Software is complex, so understanding risks starts with visibility
into the software itself. For example, NetRise researchers compiled
and interpreted code analysis to generate detailed SBOMs for the
tested networking equipment and found that each device contained on
average 1,267 software components.
- Detailed software analysis outperforms traditional
network-based vulnerability scanning: NetRise found
vulnerability risks are on average 200 times greater than the
findings from traditional network-based vulnerability scanners.
Additionally, NetRise researchers uncovered 1,120 known
vulnerabilities in the underlying software components, with over
one-third being 5 years or older.
- Do not rely solely on CVSS severity scores to prioritize
risks : Over 42% of the 1,120 known vulnerabilities in each
networking device are ranked Critical or High based on the CVSS
Severity scores, which breaks down to 473 Critical and High
vulnerabilities per networking device - more than any team can
reasonably expect to respond to. Through detailed software
analysis, NetRise uncovered on average 20 weaponized
vulnerabilities per networking device, with only 7 weaponized
vulnerabilities that are also network accessible.
The lack of transparency and trust within the software supply
chain is business-critical for organizations worldwide. Bottom
line, transparency into the contents of commercial software is
essential. As a starting point, organizations need comprehensive
visibility in their software to understand the scope, scale, and
related risks. Advanced technology can provide organizations with
much-needed insights to enrich and feed asset discovery,
vulnerability management, and intrusion detection tools used within
security operations with detailed SBOM development for all
software, detection of vulnerabilities and non-CVE risks, and
prioritization of all identified software supply chain risks.
To download the full report, visit: NetRise Supply Chain
Visibility & Risk Study
Methodology
NetRise analyzed the software on 100
networking equipment devices, focusing on five device classes:
routers, switches, firewalls, VPN gateways, and Wireless APs. The
following steps outline the research process:
Software Bill of Materials (SBOM) Analysis: To gain complete
visibility into the software components running on devices,
researchers used the NetRise Platform to generate detailed SBOMs
for each device class. This involved identifying all software
components, including third-party libraries and dependencies, to
understand the complete software stack.
Vulnerability and Non-CVE Risk Assessment: To evaluate device
risk, considering both known vulnerabilities (CVEs) and non-CVE
risks, researchers used the NetRise Platform to identify
vulnerabilities listed in the CVE database, and non-CVE risks, such
as misconfigurations, outdated components, and potential security
flaws not yet publicly disclosed.
Comparison with Traditional Network Based Vulnerability
Scanning: To benchmark NetRise Platform's findings against results
from traditional vulnerability scanning methods, researchers used
traditional vulnerability scanners and NVD results as a baseline,
comparing the comprehensive risk assessments provided by the
NetRise Platform. This highlighted discrepancies and underscored
the need for an 'inside-out', SBOM-based analysis approach.
About NetRise
Based in Austin, Texas, NetRise was built by defensive
cyber experts bred across the private sector, intelligence
community, and U.S. federal government to solve the software supply
chain security problem. The company is partnering with companies
across manufacturing, automotive, medical devices, industrial
control systems, satellites, and many more.
https://www.netrise.io/
Media Contact:
Michelle
Yusupov
Hi-Touch PR
443-857-9468
yusupov@hi-touchpr.com
View original
content:https://www.prnewswire.com/news-releases/netrise-releases-supply-chain-visibility--risk-study-revealing-significant-software-supply-chain-risks-within-networking-equipment-302205397.html
SOURCE NetRise