Known vulnerabilities policies
Known vulnerabilities policies are a group of software quality policies used by the Spectra Assure platform to help you improve the overall software package security.
These policies are used during software package analysis to check your code and inform you if any of the built-in validation rules are violated. Specifically, vulnerability policies focus on preventing the exploitation of identified weaknesses in your software and minimizing the possibility of a malicious attack. In this context, the identified weaknesses may include vulnerabilities of various levels of severity, as well as actively exploited vulnerabilities addressed by an issued patch or containing malicious code. Advanced users of Spectra Assure can adjust how each vulnerability is treated and add their own exceptions to policy configuration files.
In the Spectra Assure SAFE report, these policy violations can be found in the Known Vulnerabilities issue category and cause risk in the SAFE Assessment Vulnerabilities category.
Software developers and DevOps engineers will benefit the most from the guidance provided by these policies. When Spectra Assure products detect the presence of a vulnerability in a software package, its exact location is highlighted in the analysis report. Development teams can then apply the remediation advice for each particular policy to resolve detected issues.
Security challenges and practicesβ
Vulnerabilities in software are a constant threat to organizations and individuals, often due to an outdated software component, a bug or some other flaw in the software. Depending on their severity, they may present significant gaps or opportunities for malicious actors to access your systems and sensitive information, as well as cause harm to your organization.
Rapid software development practices in the modern software development lifecycle increase the need for third-party dependencies and open-source components in your software supply chain. This only heightens the likelihood of introducing vulnerabilities and makes your infrastructure more susceptible to malicious attacks, which is why it is important to improve your security and catch the potential threats before they reach production.
Known vulnerabilities are listed in a Common Vulnerabilities and Exposures (CVE) system and are assigned their unique identifiers to help their classification during sample analysis. All vulnerabilities are assigned a CVSS (Common Vulnerability Scoring System) v3 score based on their severity, which ranges from low to critical. Depending on this level of potential risk to your organization, the order of resolving vulnerabilities can be prioritized.
Priority can also be determined based on the type of a vulnerability in question - whether it's a patch mandated, malware-exploited, or actively exploited vulnerability. Patch mandated vulnerabilities are those CVEs for which CISA (Cybersecurity and Infrastructure Security Agency) requires patching within a given timeframe. This information can be found in the Known Exploited Vulnerabilities Catalog maintained by CISA. Malware-exploited vulnerabilities are those CVEs that are actively taken advantage of by malware. Finally, actively exploited vulnerabilities are those CVEs that are not necessarily taken advantage of by any malware, but are targeted by malicious actors or easily misused.
Some common types of vulnerabilities malicious actors take advantage of include misconfigurations, outdated or unpatched software, remote code execution, zero-day vulnerabilities, silent vulnerabilities, and so on. Malicious actors can take advantage of errors arising from manual configuration or software that needs to be updated in order to access your organization's data or infrastructure. Remote code execution is also something to be quite wary about because in this case, attackers can inject malicious code or make changes to your device from afar and potentially steal your data.
Zero-day vulnerabilities encompass gaps in software that were released into public before being known. They leave vulnerable systems exposed until a fix for them is issued, so they present a perfect opportunity for cybercriminals to perform a targeted attack.
Silent vulnerabilities are known vulnerabilities that canβt be found by inspecting the dependency list. Such vulnerabilities are introduced by statically linking package dependencies, which results in βhidingβ vital information from the dependency list.
Policies in this categoryβ
Vulnerability policies cover the following vulnerabilities:
- patch mandated
- malware-exploited
- actively exploited
- of critical, high, medium, and low severity
Show/hide all policies
- SQ31101 - Detected presence of patch mandated vulnerabilities.
- SQ31102 - Detected presence of severe vulnerabilities with active exploitation.
- SQ31103 - Detected presence of malware-exploited vulnerabilities.
- SQ31104 - Detected presence of critical severity vulnerabilities.
- SQ31105 - Detected presence of high severity vulnerabilities.
- SQ31106 - Detected presence of medium severity vulnerabilities.
- SQ31107 - Detected presence of low severity vulnerabilities.
Recommended for youβ
- Understanding vulnerabilities (External resource - National Cyber Security Centre)
- App sec is addicted to vulnerability reporting: Why supply chain security requires evolution (ReversingLabs blog series)
- SBOM Facts: Know what's in your software to fend off supply chain attacks (ReversingLabs blog series)