In today’s software-driven world, vulnerabilities are inevitable. Applications rely on open-source libraries, dependencies, and custom code, all of which can introduce security risks. However, not all vulnerabilities pose the same threat. Some vulnerabilities may be labeled as “high” or “critical” in certain vulnerability databases, yet, in individual business environments, that particular vulnerability may not be exploitable at all. Why? Because compensating controls like secure configurations or runtime protections may exist, thereby preventing the attacker from reaching and thus exploiting the vulnerability. Because a dependency required for the vulnerability to be reached/exploited may not be used in production, which would stop malicious payloads from triggering the vulnerability. Because the vulnerable function or code path may not be invoked during the execution of the software, which renders the vulnerability unreachable and unexploitable.
While it’s easy to be anxious when a new vulnerability is published or an active exploit is making headline news, it’s important to keep a clear head about the specificity of your software, development environments, networking environments, and overall cybersecurity processes and procedures. In short, determining whether a vulnerability is truly exploitable — whether it is “reachable” — under the conditions of your operating environment, is essential to prioritize and address risks efficiently.
Exploitable / not exploitable is an analysis that every company must undertake. And if using commercial tools, it’s imperative for AppSec teams to know whether the vendor can provide this analysis on a business environment-tailored basis. Many AppSec and application security posture management (ASPM) vendors might say they can help you, but when it comes down to the nuts and bolts, generic algorithms are used, resulting in wild goose chases that no security or development team can afford.
What Is Vulnerability Reachability Analysis?
Reachability analysis determines whether a vulnerability is accessible or exploitable in your application. It goes beyond mere vulnerability detection by analyzing:
- Whether the vulnerable dependency is actively used in production.
- If the vulnerable function within the dependency is invoked.
- Whether external inputs (potentially malicious) pass through the vulnerable code path.
This process helps teams prioritize vulnerabilities that matter, avoiding wasted time on issues that pose no real-world risk.
Real-World Vulnerabilities and Reachability Analysis
To truly understand how reachability analysis can help AppSec and DevOps teams identify which issues require immediate attention and which ones can be eliminated from their (long) lists of to-dos, it’s helpful to look at real-life examples. In the following section, we’ll look at four published vulnerabilities and see how OX Security’s Active ASPM Platform was able to determine that these vulnerabilities — in a unique environment and under specific existing conditions — were not reachable and therefore not exploitable.
CVE-2022-25883: Remote Code Execution or Denial of Service
- The Threat: Unvalidated external inputs processed by a vulnerable function could lead to memory corruption or application crashes.
- OX Analysis: Verified that this dependency wasn’t used in production, allowing AppSec teams to de-prioritize it and focus on exploitable risks.
- Real-World Example: A similar issue arose in 2022 when a global e-commerce platform faced a Remote Code Execution (RCE) exploit targeting an unused library in their application. While the vulnerability was flagged during routine scans, it took weeks for their security team to confirm it was not actively invoked in production, delaying their response to other critical threats.
- Why It Matters: Of the vulnerabilities scanned during this test, OX identified 150 instances where dependencies were unused in production, saving valuable triage time for the team responsible for investigating the issue.
CVE-2023-51074: Application Crash via Stack Overflow
- The Threat: Vulnerability in the criteria.parse() function could allow attackers to cause memory corruption or application crashes.
- OX Analysis: By verifying whether the function was invoked and whether malicious inputs could pass through it, OX provided clarity on exploitability.
- Real-World Example: IBM applications suffered operational disruptions affecting over 1,000 clients due to this vulnerability.
- Why It Matters: Pinpointed analysis eliminates guesswork and saves response teams time and effort.
CVE-2022-31129: Regular Expression Denial of Service (ReDoS)
- The Threat: Inefficient parsing in the moment library allowed attackers to send specially crafted input, causing application slowdowns.
- OX Analysis: OX analyzed if the vulnerable function was directly used and validated inputs, reducing unnecessary effort on false alarms.
- Real-World Example: Cloudflare’s 2019 outage, caused by a ReDoS attack, underlined the need for reachability-focused triage.
- Why It Matters: Reducing the amount of wasted effort and resources on unexploitable issues allows organizations to focus on the vulnerabilities that matter, reducing risk, cost, and misdirected time.
Open Redirect Vulnerability
- The Threat: Improper validation of user-controlled input in URLs could lead to unauthorized redirection, enabling phishing or data theft.
- OX Analysis: OX identified a direct function call sequence from exposed APIs to vulnerable code, proving the risk was reachable and high priority.
- Real-World Example: A reported (but unconfirmed) Facebook vulnerability demonstrated how attackers could bypass security to redirect users to malicious websites.
- Why It Matters: Identifying vulnerabilities that pose real risk under certain conditions helps with time-to-remediate and risk reduction.
Why Reachability Analysis Matters
There is little doubt that both AppSec and DevOps teams need to reclaim time to focus on the vulnerabilities that pose the highest risk to their organizations. The problem is that much of the traditional commercial tooling and processes used to identify issues throughout the software development lifecycle can’t deliver when it comes to accuracy and actionability.
With the OX Active ASPM Platform, our team has put significant effort into ensuring that security and dev teams can accomplish the following benefits:
- Time Savings: Traditional vulnerability scans generate vast amounts of alerts, many of which are irrelevant. OX reduces noise by focusing only on reachable, exploitable, and business-impacting vulnerabilities, saving time and effort for security and development teams.
- Improved Risk Prioritization: With OX’s proprietary reachability algorithms baked into the core solution, vulnerabilities are ranked and then enriched with context to ensure teams focus on fixing what matters most.
- Enhanced Security Posture: By identifying and mitigating only exploitable vulnerabilities, OX minimizes resource wastage and strengthens overall application security posture.
A Smarter Approach to Software Vulnerability Management
Managing software vulnerabilities doesn’t have to mean drowning in alerts or spending tons of time chasing every CVE listed as “high” or “critical” by the National Vulnerability Database (NVD) or even the CISA Known Exploited Vulnerabilities (KEV) Catalogue. The key to AppSec improvement is understanding what’s applicable in your environment, under present conditions, and with the controls you have deployed. There is no one-size-fits-all in AppSec, and don’t let anyone tell you otherwise.
However, if you’re thinking, “This means more work and effort,” don’t fear! This isn’t a paradOX!
OX Security’s Active ASPM Platform includes advanced reachability analysis that cuts through the noise and allows AppSec and development teams to focus on the 5% of vulnerabilities that truly matter to their organization. From code to cloud, OX secures applications and the software supply chain, with increased accuracy and greater speed.
Ready to see the difference? Learn how OX Security can streamline your vulnerability management process and help you secure your applications with precision. Schedule a demo today!