The increasing complexity of IT environments is leading to more hidden cyber threats. The risk of cyberattacks and data breaches through the software supply chain is hard to ward off, according to research by JFrog.
To point out how cluttered corporate IT infrastructures can be today, JFrog cites the number of programming languages used inside enterprises. The majority (53 percent) use 4 to 9 languages, while only 16 percent limit this number to 1-3. In fact, 39 percent of surveyed organizations with more than 5,000 employees have 10 or more programming languages in active use.
Useful but dangerous
This wide variety shows that all kinds of packages and libraries are circulating, mostly in open-source form. The usefulness of this is often quite evident, with AI adoption motivating PyPI-contributions, for example.
At the same time, the number of vulnerabilities is increasing. In 2023, 26,000 CVEs were published, mostly pointing to exploits of known cyber risks. SQL injections are prominent among these, something the FBI and CISA were taking developers to task over earlier this week.
Misleading scores
JFrog does point out that these CVEs aren’t enough to understand the threat level. We’ve addressed this before as well: “critical” vulnerabilities can sometimes be a lot less worrisome than they appear, while low CVSS scores should not be reassuring at all. The exploitability of a vulnerability deserves more attention, JFrog also argues. 74 percent of CVEs that have “high” and “critical” scores are not exploitable, the study shows.
Tip: When is a critical vulnerability actually serious?
This is a problem for developers who must prioritize addressing vulnerabilities. Patching everything immediately is what most would do in an ideal world, but the reality is that this is not always a realistic expectation. This is further complicated by the previously mentioned complex supply chain. Managing it requires contextual information, something in which various security players can assist. For example, parties like CrowdStrike offer a threat intelligence platform that shows what threats are actively at play, something that more clearly shows which dangers should actually cause concern amongst IT personnel.
Also read: CrowdStrike bundles threat hunting and intelligence to combat identity threat
20 hours ago
