It is only a matter of time...

Reachability and Exploitability: A False Refuge in Software Security

Note: Note:  This content was generated with AI as part of a test.  The other article can be found at https://snakeeyessoftware.com/site/2024/02/when-reachability-and-exploitability-dictate-software-security-decisions-a-critical-examination/

We live in a world of increasing technological reliance and, sadly, an equally accelerating rate of cyberattacks. As a software security expert with over two decades of experience, I’ve repeatedly seen “reachability” and “exploitability” used as weak shields to excuse inaction in addressing software vulnerabilities.

This approach fails in a world of complex software systems and evolving attack techniques. It also undermines the core mission of any software security posture: proactive defense against emerging threats.

The Argument: A Convenient Delay

“It’s not reachable, not exploitable” – this refrain lulls teams into a false sense of security. Those pushing back on prioritizing or reporting a vulnerability paint a narrative of immunity as long as reachability and exploitability flags aren’t raised. The problem? This logic is dangerously deceptive.

Let’s break down the key reasons why prioritizing vulnerability fixes cannot be held hostage to the perceived difficulty of exploiting them:

1. Flawed Testing and Shifting Attack Surfaces

Determining reachability and exploitability through testing is an incredibly complex and imperfect task. Modern software systems are a labyrinth of dynamic code execution and dependencies, making it easy to miss hidden pathways. Infamous incidents like Log4Shell demonstrate how vulnerabilities, initially appearing benign, can lead to wide-ranging havoc in unpredictable ways as code and threat scenarios evolve.

2. The Ticking Clock of Technical Debt

Delaying a fix under the guise of low reachability or exploitability only compounds the problem. The longer the upgrade is postponed, the more extensive and complex it becomes due to additional development relying on vulnerable libraries.. This slows down feature development and makes future upgrade work even more costly and disruptive. Proactive vulnerability management avoids this dangerous accumulation of technical debt.

3. Responsibility to the Software Ecosystem

In a connected digital world, one vulnerable component becomes everyone’s problem. Open-source and widely used libraries, when they carry flaws, ripple outward. Holding back on reporting or fixing vulnerabilities burdens maintainers with supporting increasingly outdated versions, hindering overall code quality. A more responsible approach is to promptly update, making the entire ecosystem safer.

4. The Test of Replaceability

If fixing a vulnerability is genuinely unreachable or not exploitable, it raises a bigger question: why keep that component at all? If you truly can’t be bothered with it, replacing it with a more secure alternative is often the easier and safer choice. After all, if it won’t affect your operations, what’s the worry?

A Case for Urgency

Using reachability and exploitability as a justification for delays betrays a deeper security issue: prioritizing convenience over resilience. Every known vulnerability is a potential entry point for future attacks – whether or not a ‘reachable’, easy exploit exists today. It’s only a matter of time before that changes.

In software security, just as in the real world, we don’t wait until the intruder bursts through the door. We change the locks and secure the windows.

A New Mindset

Vulnerability management should focus on continuous improvement, not nitpicking reachability or exploitability. Aim to eliminate or reduce all known vulnerabilities – regardless of current perceived exploit complexity. That’s the best way to protect your organization and contribute to a more secure software world for everyone.

Let’s stop enabling ‘security theater’ and focus on truly reducing cyber risk. Don’t let “not reachable” and “not exploitable” be used as a lullaby that leads to complacency. We all deserve better.

Posted in Artificial Intelligence, Security and tagged , .