A recent report by Netrise delves into the analysis of software composition and the risks associated with corporate network equipment like routers, switches, firewalls, VPN devices, and wireless access points. The report highlights vulnerabilities and risks beyond CVE that are present in the software of such equipment.
Netrise emphasizes that organizations often utilize a complex array of software for their network equipment, including third-party programs, open-source applications, containers, and firmware. Each new software implementation brings its own set of risks, some of which may go unnoticed. With a rising number of attacks on supply chains, the report underscores the importance of adopting the principle of “trust, but verify.” Companies need to have full visibility of all software components and dependencies to minimize potential risks.
The key findings of the report include:
- Inventory for risk assessment: The research team at Netrise examined the code and compiled detailed SBOM (Software Bill of Materials) for each device tested, uncovering an average of 1267 components per device.
- Comprehensive vulnerability scanning: The identified vulnerabilities were found to be 200 times higher on average compared to traditional scanning results. The researchers identified 1120 known vulnerabilities in software components, with more than a third of them being over 5 years old.
- Importance of not relying solely on CVSS vulnerability estimates: Among the 1120 known vulnerabilities in each network device, over 42% (473) were classified as “High” or “Critical” in CVSS. The average number of vulnerabilities exploited in attacks per device was 20, of which only 7 were accessible via the network.
The study underscores the significance of creating SBOM, a detailed list of software components used in software development. Surprisingly, only 35% of organizations surveyed actually generate or compile such lists. In certain sectors like medical devices and automotive industries, SBOM usage is mandatory due to regulatory requirements.
Timely identification and response to cyber attacks are crucial for organizations. Despite this, only 38% of surveyed organizations believe they effectively detect and address software vulnerabilities during attacks. Additionally, 47% of organizations reported that it takes anywhere from 1 month to six months to rectify critical vulnerabilities.
Organizations are increasingly turning to advanced tools for software analysis and chain risk management. These tools provide detailed SBOM, covering built-in software, operating systems, virtualization, and application software. They also help identify vulnerabilities