Over fifty vulnerabilities are discovered every day, according to NIST data. What does that mean for your incident response effort? And, more broadly, how will Incident Response help you ensure, or even work toward, product security across your software supply chain lifecycle?
More than 20,000 vulnerabilities were discovered in 2021 alone.
What happens when you need to know—right now—if your product, or a component manufactured by a supply chain partner, is exposed to a new CVE?
Knowing about a Vulnerability vs. Addressing It
There’s a jump that occurs between when you learn of a new known vulnerability and when you determine that it’s creating an incident that needs your resources and attention.
How do you know if you have—lurking within your product:
One or more of the thousands of vulnerabilities discovered every year?
A high, critical, or zero-day vulnerability that needs immediate mitigation?
If the vulnerability came from a product of a supply chain partner, how do you know if that vendor will support your mitigation strategy?
Incident Response Needs a Comprehensive Approach
When a new vulnerability surfaces, product manufacturers and asset owners scour internal and external supply chains to determine their exposure—and what it means. The scope of that discovery and assessment process can span thousands of products.
Not all SBOMs are created equal. Beyond the different SBOM formats available, SBOMs are only as good as the technology that created them. Not all SBOMs see into device firmware or the binaries of code compiled by upstream supply chain partners. When SBOMs don’t grant continuous visibility into all corners of your code, exposures to new vulnerabilities not only survive your incident response effort, you also won’t even know they’re there.
Until an attack comes.
However, even if you have a quality SBOM on hand with an inventory of components and subcomponents, it’s a point-in-time document. That SBOM tells you the components you had on the day of the scan, which often differ from what you have when the news of new vulnerabilities arrives.
As the threatscape continues to evolve and new vulnerabilities emerge, blind spots and snapshot remediation just won’t work.
When news of the Log4j vulnerability first emerged late last year, many organizations read with increasing fear about the remote code execution it could enable for unauthorized users looking to exploit this widespread logging utility found in almost every Java application.
But, PSIRTs (Product Security Incident Response Teams) and risk management teams found some initial relief when simple patches and other mitigations surfaced that could be applied to web applications to mitigate the vulnerability.
That relief was short-lived. These organizations soon realized that they also had Log4j in many of their connected devices at the firmware level. Embedded and connected devices are often developed with Java and use embedded Java servers.
They needed a solution that could see inside the firmware of connected devices and into other opaque areas like binaries and determine if Log4j or other vulnerabilities lurked there.
Finite State’s Global Search Difference
When the Log4j vulnerability first surfaced, Finite State used its Global Search tool on its extensive firmware libraries and found that pervasive vulnerabilities existed in devices that spanned many industries.
Then and now, Finite State’s Global Search tool enables you to search all versions of firmware, software, components, and products in your asset inventory so you can know if you’re exposed to new vulnerabilities and weaknesses like Log4j.
Knowledge is power, as the old saying goes. When you know whether you face exposures to new vulnerabilities and weaknesses, you can invest your effort into doing something about it, rather than rushing to uninformed decisions. That time you save might just be needed to pull your devices off a network while you devise a mitigation plan rather than try to recover from damage after the fact.
Finite State’s Global Search tool helps you find exposures in your products and devices, whether you manufactured them—or bought them from a supply chain partner. And, after discovering and assessing those vulnerabilities and weaknesses, Finite State can help guide you through the prioritization and remediation process through a range of customer support service options.
Get full visibility into your product and automate your product security across the software supply chain. Schedule a demo and we’ll show you what the Finite State Platform can do.