The IT Nerd

On Wednesday, July 26, Rezilion, an automated software supply chain security platform, will release its new report, “CVSS, EPSS, KEV: The New Acronyms – And The Intelligence – You Need For Effective Vulnerability Management,” detailing the critical importance of the Exploitability Probability Prediction Score (EPSS) for enhancing patch prioritization and effective vulnerability management.

Rezilion’s vulnerability experts disclosed that there are three vulnerabilities currently being actively exploited and have a high EPSS score. The findings of the report show that vulnerabilities with a high EPSS score are more likely to be exploited compared to those with low EPSS scores- showing that using only the Common Vulnerability Scoring System (CVSS) for prioritizing patching is not the most effective approach.

Key takeaways from the report include:

• The conventional method of prioritizing vulnerabilities often falls short. A holistic approach, including CVSS, CISA’s KEV, and EPSS, offers the best defense.
• The KEV catalog alone is insufficient due to the delay in adding newly discovered vulnerabilities.
• Vulnerabilities with a high EPSS score are more likely to be exploited, emphasizing the importance of this information in prioritization.

You can read the report here.

 Rezilion, an automated software supply chain security platform, will release its new report, “CVSS, EPSS, KEV: The New Acronyms – And The Intelligence – You Need For Effective Vulnerability Management,” detailing the critical importance of the Exploitability Probability Prediction Score (EPSS) for enhancing patch prioritization and effective vulnerability management.

Rezilion’s vulnerability experts disclosed that there are three vulnerabilities currently being actively exploited and have a high EPSS score. The findings of the report show that vulnerabilities with a high EPSS score are more likely to be exploited compared to those with low EPSS scores- showing that using only the Common Vulnerability Scoring System (CVSS) for prioritizing patching is not the most effective approach.

Key takeaways from the report include:

• The conventional method of prioritizing vulnerabilities often falls short. A holistic approach, including CVSS, CISA’s KEV, and EPSS, offers the best defense.
• The KEV catalog alone is insufficient due to the delay in adding newly discovered vulnerabilities.
• Vulnerabilities with a high EPSS score are more likely to be exploited, emphasizing the importance of this information in prioritization.

You can read the report here.

Rezilion, an automated software supply chain security platform, today announced a new report, “Expl[AI]ning the Risk: Exploring the Large Language Models (LLM) Open-Source Security Landscape,” finding that the world’s most-popular generative artificial intelligence (AI) projects present a high security risk to organizations.

Generative AI has surged in popularity, empowering us to create, interact with, and consume content like never before. With the remarkable advancements in LLMs, such as GPT (Generative Pre-Trained Transformers), machines now possess the ability to generate human-like text, images, and even code. The number of open-source projects that integrate these technologies is now growing exponentially. By way of example, since OpenAI debuted ChatGPT seven months ago, there are now more than 30,000 open-source projects on GitHub using the GPT-3.5 family of LLMs. 

Despite the booming demand for these technologies, GPT and LLM projects present various security risks to the organizations that are using them, including trust boundary risks, data management risks, inherent model risks, and general security concerns.

Rezilion’s research team investigated the security posture of the 50 most popular generative AI projects on GitHub. The research utilizes the Open Source Security Foundation (OSSF) Scorecard to objectively evaluate the LLM open-source ecosystem and highlight the lack of maturity, gaps in basic security best practices, and potential security risks in many LLM-based projects.

The key findings highlight concerns, revealing very new and popular projects with low scores:

• Extremely popular, with an average of 15,909 stars 
• Extremely immature, with an average age of 3.77months
• Very poor security posture with an average score of 4.60 out of 10 is low by any standard. For example, the most popular GPT-based project on GitHub, Auto-GPT, has over 138,000 stars, is less than three months old, and has a Scorecard score of 3.7.

The following best practices and guidance is recommended for the secure deployment and operation of generative AI systems: educate teams on the risks associated with adopting any new technologies; evaluate and monitor security risks related to LLMs and open-source ecosystems; implement robust security practices, conduct thorough risk assessments, and foster a culture of security awareness. 

An alarming amount of time is dedicated to security – especially when it comes to software. Rezilion’s automated software supply chain security platform helps customers to manage their software vulnerabilities efficiently and effectively. Maintaining a detailed and current database on the latest software vulnerabilities and the strategies to mitigate them remains paramount to customers’ success in navigating this complex security landscape. Rezilion provides its users with the same OpenSSF scorecard insights as part of the product offering for customers to make more informed decisions regarding adopting and managing any open-source project. 

I also got some commentary Yotam Perkal, Director of Vulnerability Research at Rezilion who authored this report.

What was the most concerning finding from the survey and why? 

The most concerning finding from the survey is the inadequate maturity and security posture of the open-source ecosystem surrounding LLMs. As these systems gain popularity and adoption, it is inevitable that they will become attractive targets for attackers, leading to the emergence of significant vulnerabilities. This finding raises concerns about the overall security of LLMs and highlights the need for improved security standards and practices in their development and maintenance.

What should organizations know about LLM risk before integrating Gen AI tools? 

Organizations should be aware that integrating Generative AI tools, including LLMs, comes with both unique challenges and general security concerns. They need to address the specific risks associated with LLMs, such as data privacy, protection against attacks on the models, and securing the infrastructure involved in their deployment. Additionally, organizations must consider broader security implications and ensure that industry security standards are followed to promote ethical and responsible use of generative AI technology.

How can they prepare for this risk and who is responsible for this? 

Organizations can prepare for LLM risks by adopting a secure-by-design approach when developing Generative AI-based systems. They should leverage existing frameworks like the Secure AI Framework (SAIF), NeMo Guardrails, or MITRE ATLAS™ to incorporate security measures into their AI systems.  It is also imperative to monitor and log LLM interactions and regularly audit and review the LLM’s responses to detect potential security and privacy issues and update and fine-tune the LLM accordingly. Responsibility for preparing and mitigating LLM risks lies with both the organizations integrating the technology and the developers involved in building and maintaining these systems.

What are some other risks GPT and LLMs can pose to organizations? 

The risks associated GPT and LLMs can pose are varied and can affect all aspects of the CIA triad (Confidentiality, Integrity and Availability). These risks can lead to bypass of access controls, unauthorized access to resources, system vulnerabilities, ethical concerns, potential compromise of sensitive information or intellectual property and more.

How will this risk through LLM to organizations evolve in the next 12-18 months?

Over the next 12-18 months, the risk through LLMs to organizations is expected to evolve as the popularity and adoption of these systems continue to grow. Without significant improvements in the security standards and practices surrounding LLMs, the likelihood of targeted attacks and the discovery of vulnerabilities in these systems will increase. Organizations must stay vigilant and prioritize security measures to mitigate evolving risks and ensure the responsible and secure use of LLM technology.

To download the full report, please visit: https://info.rezilion.com/explaining-the-risk-exploring-the-large-language-models-open-source-security-landscape

Rezilion, an automated software supply chain security platform, today announced the release of its Agentless solution. This new capability allows user connection and access to Rezlion’s full feature functionality across multiple cloud platforms. It enables security teams to monitor exploitable attack surfaces in runtime without using an agent to simultaneously minimize security and operational risk.

Many reports and analyses confirm that organizations spend extraordinary time prioritizing and remediating software vulnerabilities. Research conducted by Ponemon Institute underscores that vulnerability management is time-consuming, costly, and often too overwhelming. Nearly half (47%) of survey respondents reported backlogs ranging from  100,000 to 1.1 million vulnerabilities still awaiting patches. 

Yet, many vulnerabilities are not exploitable in runtime. Armed with this knowledge, Rezilion first introduced vulnerability prioritization using runtime data. This data reveals which vulnerabilities are exploitable depending on the user’s unique environment and reduces 85% of the noise because most do not require patching. However, an agent is needed to get this visibility into the runtime – formerly an unchallenged assumption.  

While some organizations feel comfortable with agents, it represents an operational risk and overhead, leading Rezilion to release the first agentless solution that can see into the runtime execution of the software and determine not only which components are vulnerable but know if they are exploitable in the runtime context. After years of research and significant breakthroughs, the Rezilion team discovered that achieving true non-agent-based runtime analysis is possible. 

Unlike some agents limited to precise mechanisms such as eBPF, Rezilion’s approach covers all versions of Windows and Linux across 12 code languages. The platform’s agentless solution empowers customers to ensure their software security in production and continuous integration from the convenience of a single platform and with no maintenance overhead or operational risk. 

With Rezilion, organizations can detect, aggregate, prioritize, and remediate without maintenance overhead. Rezilion allows customers to remove interference with product performance without additional code or agent execution. Unlike other agentless solutions that only offer a static understanding, Rezilion provides a Dynamic SBOM, which reveals both software components and how they’re being executed in runtime. Organizations receive the necessary tools to identify bugs – and potential exploitation by attackers.

Rezilion can now be deployed through a seamless workflow managed entirely from Rezilion’s platform user interface. For more information about securing the software supply chain without the hindrance of an agent, please visit https://info.rezilion.com/lp/demo-agentless-runtime-free-risk-assessment.

Rezilion, an automated software supply chain security platform, today announced its new research, “2023 First-Half Critical Vulnerabilities Report: Key Software Applications Under Fire.” The report identifies and analyzes the most significant vulnerabilities in numerous widely utilized software applications and open-source projects during the first half of 2023 while offering practical remediation and mitigation strategies.

Cybersecurity leaders and teams must stay abreast of the latest vulnerabilities, regardless of their origins, to ensure that necessary security measures are implemented. While some vulnerabilities may present severe implications for organizations, others might prove less impactful than initially perceived. The report highlights vulnerabilities in critical software applications integral to organizations, which enable vital capabilities such as data analytics, visualization, AI, web development, and cybersecurity. 

Among the vulnerabilities identified and thoroughly analyzed are those found in JsonWebToken (CVE-2022-23529), ChatGPT (CVE-2023-28858), Apache Superset (CVE-2023-27524), PaperCut NG/MF (CVE-2023-27350), Fortinet FortiOS (CVE-2022-41328), and Adobe ColdFusion (CVE-2023-26360).

Particularly notable was the JsonWebToken vulnerability, initially rated with a high CVSS score of 9.8. However, after a detailed examination, the severity of this vulnerability was reassessed and ultimately retracted, underscoring the importance of rigorous analysis and robust community feedback in ensuring accurate assessments and mitigations. 

Rezilion also drew attention to a low severity but significant vulnerability in OpenAI’s ChatGPT service. While the CVSS score was only 3.7, the vulnerability is noteworthy due to the increasing reliance on AI services across industries, serving as a stark reminder that security must remain paramount as AI technology continues to evolve. Additionally, Apache Superset is a critical vulnerability caused by the application’s default SECRET_KEY configuration, highlighting the importance of unique, secure keys to safe application access.

Moreover, the report explores the vulnerabilities in PaperCut, Fortinet FortiOS, and Adobe ColdFusion. These involve an access control issue that permits remote code execution, a zero-day vulnerability exploited in the wild, leading to substantial data loss and operating system corruption, and a zero-day vulnerability exploited in limited attacks enabling remote code execution, respectively.

Cybercriminals exploit software vulnerabilities to launch attacks against organizations, customers, and entire supply chains; threat actors leverage weaknesses in software code to launch attacks like ransomware. Rezilion’s comprehensive analysis and detailed insights aim to assist cybersecurity teams in understanding and addressing these vulnerabilities effectively.

In the face of increasing cybersecurity threats, it is crucial to maintain vigilance and adopt proactive remediation strategies, which include regularly updating all software and systems to their latest versions, as these often contain patches for known vulnerabilities. Equally important is implementing robust security practices such as secure configurations, rigorous input/output sanitization, and continuous threat monitoring. Open-source and AI technologies should be used with heightened attention to maintain user data integrity.

To download the full report, please visit: https://info.rezilion.com/the-most-important-vulnerabilities-discovered-in-2023. 

Rezilion, an automated software supply chain security platform, today announced the release of its new Smart Fix feature in the Rezilion platform, which offers critical guidance so users can understand the most strategic, not just the most recent, upgrade to fix vulnerable components.

Patching is a complicated and noisy process, which can lead to longer times for fixes, and increases risk for an organization. In the patching process, updating vulnerable components to the latest version can cause disruptive breaks in the environment, hindering both innovation and security. This is all happening against a backdrop of tension between Dev and Sec in which remediation must happen, but is often slow, complicated, and difficult to streamline. 

Smart Fix is the answer to these common woes. The feature offers guidance on the best update version available to patch all CVEs with the lowest likelihood of breaking applications or infrastructure, shrinking operational risk and minimizing downtime. The guidance also allows users to clear out clutter and complexity and create policies and automations to prioritize the smartest (not just the most recent) fix available. This leads to faster remediation workflows to minimize exposure time. Developers can focus on fixing components that are actually possible to fix with clear instructions on what they need to fix it right the first time, avoiding time-consuming rounds of research and rollbacks.

Unlike other scanners and vulnerability management solutions, through Rezilion’s platform, Smart Fix tells you not only what and where to fix, but HOW to eliminate both CVEs and operational risks at the same time – and get the work done automatically. The feature is one of a series of recent platform enhancements aimed at improving and accelerating software supply chain security. 

To learn more about Rezilion’s software supply chain security solutions and see a demo of Smart Fix, visit www.rezilion.com/why-rezilion/ and read their blog post here.

Rezilion has released its latest research report, a comprehensive analysis of the CISA Known Exploited Vulnerabilities (KEV) Catalog that reveals the vast attack surface created by software vendors’ lack of awareness and action regarding KEV vulnerabilities. These are prime targets for APT groups and financially motivated threat actors.

Rezilion’s research identifies over 15 million vulnerable instances, primarily Microsoft Windows instances, and emphasizes prioritizing patching based on exploitability. 

1. These vulnerabilities account for less than 1% of the total vulnerabilities discovered by organizations yearly.
2. Most vulnerabilities are rated as critical or high (250 marked as CRITICAL and 535 marked as HIGH).

APT groups and profit-driven threat actors frequently exploit these vulnerabilities, often connecting to or receiving sponsorship from nation-states such as Russia, Iran, China, and North Korea. Millions of systems remain vulnerable to KEV, despite the availability of patches to resolve them.

You can read the report here.

Rezilion announced today the release of the company’s new research, “Hiding in Plain Sight: Hidden Vulnerabilities in Popular Open Source Containers,” uncovering the presence of hundreds of docker container images containing vulnerabilities that are not detected by most standard vulnerability scanners and SCA tools.

The research revealed numerous high severity/critical vulnerabilities hidden in hundreds of popular container images, downloaded billions of times collectively. This includes high-profile vulnerabilities with publicly known exploits. Some of the hidden vulnerabilities are known to be actively exploited in the wild and are part of the CISA known exploited vulnerabilities catalog, including CVE-2021-42013, CVE-2021-41773, CVE-2019-17558.

This finding follows Part I of the research, released in October, which was the first quality assessment for leading open-source and commercial vulnerability scanners and SCA tools. The vulnerability scanner benchmark survey discovered the most common causes for scanner misidentifications, including false positive and negative results.

The new research dives deeper into one of the root causes identified in the assessment – inability to detect software components not managed by package managers. The study explains how the inherent method of operation of standard vulnerability scanners and SCA tools relies on acquiring data from package managers to know what packages exist in the scanned environment, making them susceptible to missing vulnerable software packages in multiple common scenarios in which software is deployed in ways that circumvent these package managers. This research shows precisely how wide this gap is and its impact on organizations using third-party software. The report provides numerous real-world examples of some of the most popular docker container images that contain dozens of such hidden vulnerabilities. The report also offers recommendations on minimizing the risk presented in the research.

According to the report, package managers circumventing deployment methods are extremely common in Docker containers. The research team has identified over 100,000 container images that deploy code in a way that bypasses the package managers, including most of DockerHub’s official container images. These containers either already contain hidden vulnerabilities or are prone to have hidden vulnerabilities if a vulnerability in one of these components is identified.

The report identifies four different scenarios in which software is deployed without interaction with package managers, such as the application itself, runtimes required for the operation of the application, dependencies as are necessary for the application to work, and dependencies required for the deployment/build process of the application that are not deleted at the end of the container image build process and shows how hidden vulnerabilities can find their way to the container images.

To download the full report, please visit: https://info.rezilion.com/scanner-research-part-ii

Rezilion has released a new report exploring the 8 most prominent vulnerabilities that have been discovered during 2022: Pwnkit, Dirty Pipe, Spring4Shell, NimbusPWN, Dirty Cred, ProxyNotShell, Text4Shell, and Spooky SSL. The researcher investigates what it is, when it was published, how it can be exploited, remediation, and mitigation for each vulnerability. 

Rezilion also recently published Log4Shell Anniversary research showing:

• Over 57K publicly accessible servers are still vulnerable, which is only the tip of the iceberg.
• Over 30% of the overall publicly accessible servers still run versions vulnerable to Log4Shell.
• Survey of all exploitation attempts conducted in the year since Log4Shell was first discovered.

You can read the full report here.

Rezilion has announced today the expansion of its Dynamic Software Bill of Materials (SBOM) capability to support Windows environments. Through this expansion, Rezilion will provide organizations with a first-of-its-kind toolset to efficiently manage software vulnerabilities and meet new regulatory standards, for the 56% of software today that’s built for Windows OS.

While many tools exist for organizations to manage vulnerabilities in their software, the vast majority of these were initially built for use with Linux OS, resulting in gaps in functionality when they’re used for Windows. A dearth of “Windows-first” tooling also affects organizations’ preparedness to comply with new regulations such as the President’s Executive Order (EO) 14028, which will require teams to provide regulators with a thorough inventory of their software environments and related vulnerabilities.The market has been alarmingly slow to respond to this increasingly urgent need for better solutions. As evidence of this, Microsoft itself released its first, basic, open source “Windows-first” SBOM generation tool as recently as July of this year.

As a result of these gaps, for organizations with large, legacy Windows environments (including critical infrastructures), a new threat on the scale of the “Y2K” scare of the late 1990’s is emerging. Be it attackers or regulators, these organizations must modernize their security standards, or suffer consequences of looming risks ahead.

First released in May, Rezilion’s Dynamic SBOM can be deployed in all software environments – both Windows and Linux simultaneously – and provides a real-time versus static inventory of all software components in a single graphical UI. Rezilion’s solution also integrates dynamic runtime analysis to not only detect software vulnerabilities, but validate their actual exploitability, helping teams to clear away “false-positive” scan results and avoid wasteful patching work that shifts resources away from build activity.

Other key features and capabilities include:

Dynamic Identification – Instantly search and pinpoint vulnerable components such as Log4J across millions of files and onthousands of hosts, containers, and applications.

Holistic Insight & Control – View Windows and Linux risk side by side in one UI, to get a complete picture of your attack surface,manage risk efficiently and comply with auditors

Tackle Legacy Vulnerability Backlogs Efficiently – Aggregate detected vulnerabilities, filter out false-positives and prioritize what matters to address risks quickly and meet modern remediation SLAs as defined by CISA with a fraction of the effort

Learn more about Rezilion’s Dynamic SBOM at https://www.rezilion.com/platform/dynamic-sbom/.

Book a demo today to learn more about Rezilion’s Windows software security solutions at https://www.rezilion.com/lp/windows-security-demo/.