Risk-Based Security: How to Focus on What’s Real, Reachable, and Exploitable

Alright. So next, within those, once we do have a bunch of vulnerabilities, it doesn't matter how well we patch. There's always gonna be vulnerabilities. There's always gonna be zero days. There's almost always gonna eventually be something on that Kev list, the the known exploitable vulnerabilities. And these are where you need to start. Right? This is a risk based approach. This isn't looking at my, you know, CVSS, you know, sevens through tens and focusing on the fits and highs. And I and I recognize some shops still march to that. But, really, we at Finite State advocate more of a risk based approach where we we look at it, top down. PED list items represent real risk. These these represent things that are actively being exploited in the wild, and you can reasonably expect, you could be next. Right? So most of the regulations forbid shipping anything with these in them, so it's absolutely imperative that you deal with them. You can't generally explain these away. The expectation is that you get them out of your product. Next, we go on to what I call the mature exploit. We talk about this often as being weaponized. And mature exploits are not somebody wrote a POC. That's a lot more of an academic dialogue of how I might, you know, try to explain why I feel the code is vulnerable. And if I use these sorts of algorithms or approaches or techniques, why I think I can get the the software to behave in a way nobody expected. So mature exploits really are basically a loaded gun sitting out there waiting for someone to pointing it point it at you and pull the trigger. They're fully automated. Often, weaponization often means they already have a malicious payload or certainly have already have the mechanism in it to deliver a payload. So these become really important to start focus on, and they're not always just gonna be those CVSS nines and tens. Right? These things will can run the gamut down in down to seven and and below. So these are super important to deal with. And and because now you're working on real stuff, this is real risk. This isn't theoretical risk. This isn't just a CVE that doesn't have a POC or anything else. Nobody's done anything. I don't care what its score is. It doesn't represent real risk yet. It's not to say it can't become a zero day. I'm not saying that. But the odds are not likely. Right? Whereas there's generally a relatively short distance from a mature exploit to ending up on the cav list. And, again, not all the time, but odds are in the favor of that making that next step. So one more. The this is a relatively new I I've been hearing about reachability for probably the last probably four or five years. A lot of people see it as, you know, something of a holy grail in this space. And, really, this becomes really important in a modern setting with all these vulnerabilities because to satisfy a lot of these frameworks and our suppliers and and the market and the regulators to get access to the market, we have to be able to demonstrate that we're in control, that we understand what's happening. So when we can say, hey. Yes. I see this CDE. I know it applies to this function, and we know that that function isn't called in our code. That's a reason why, yeah, I'm it's gonna be in my SBOM. We're gonna be transparent about the fact that it's there, but we're also gonna demonstrate that we've done our homework and realize it doesn't affect us. So reachability sort of cuts two ways for us. It can help us in terms of what we should work on, the things that are reachable, but it also allows us to get a bunch of things off of our plate that aren't reachable. Again, this is all with an eye towards just dealing with the sheer mountain of vulnerabilities that tools like this can produce on a single project, let alone your whole portfolio. So these are the levers that I see being used the most to deal with that mountain and make it manageable. Because this is probably like I said, this is one of the bigger elements in the room as we do this. This is the there's just this giant number. Your security folks are gonna have to start to prioritize them, And this is where tensions start to build up between teams. Like, you're sending stuff over to the devs, the devs are saying, well, this isn't even real and all that stuff. Right? So we have with evidence like this and insights like this, we can help remove that tension between those teams and let the developers know, hey. You're working on stuff that's real. You're working on stuff that's reachable. Right? We're we're not just throwing over a bunch of vulnerabilities that don't really apply.