Using the CVSS to Secure the Software Supply Chain

June 30, 2022

Blog

It’s easy for security teams and software developers to be overwhelmed with the endless stream of software vulnerabilities reported across the hundreds of applications used by a typical large enterprise. But not all software vulnerabilities are created equal and need immediate attention.

Understanding which ones pose a clear and present security risk if they are not remediated is critical to securing the software supply chain. This is where vulnerability scoring can help prioritize mitigation planning and management.

One effective way to filter security vulnerabilities is using the Common Vulnerability Scoring System (CVSS). If you need to focus on only the most critical vulnerabilities, then the CVSS is the metric that will help guide your remediation strategy.

The CVSS consists of a base score that incorporates the ease, complexity, user interaction, and the level of privilege required to conduct an attack. The score also includes the impact of an attack, which is a measure of how the attack compromises CIA – confidentiality, integrity and, availability. CVSS also includes a temporal score, which is an indication of the current status of the vulnerability – do exploits exist and the state of patches. It’s a comprehensive metric that takes many factors into account.

CVSS values range from 1 to 10 with scores in the range of 9-10 being critical. Critical vulnerabilities are those that are easiest to exploit, don’t require sophisticated methods to trigger, and have high impact and risk on the attacked system. In other words, these are the vulnerabilities you need to fix immediately.

CVSS is not only a good way to assess commercial off the shelf (COTS) applications, but also third-party and open source code that may be used in software products your organization builds and sells.

In addition to scoring vulnerabilities, CVSS classifies them by type and how dangerous these are when exploited as follows:

• Remote code execution (RCE): which allows external data (e.g. user input) to become executable code. This may be due to replacing executables on the target file system or causing a stack overflow that replaces the stack frame with arbitrary data. Exploits of these vulnerabilities are very dangerous since they enable attackers to run arbitrary code on the system under attack.
• Elevation of Privilege: enables an attacker to elevate the process, root, or administrator privilege depending on the target operating system. Often these vulnerabilities  allow an attacker to conduct almost anything on the target system.
• Arbitrary code execution: Similar to RCE, these vulnerabilities allow an attacker to execute injected code such as malformed files to force a system to perform an unauthorized action.
• Arbitrary file reading: Files on the target system are usually hidden and well protected by the operating system. However, this type of vulnerability can allow applications to expose the filesystem to the attacker. For example, the entire contents of a customer database could be retrieved with such an attack.
• Path traversal: Similar to an arbitrary file reading vulnerability, path traversal allows an attacker to read files from other parts of the target system. This is usually done with malformed input that ends up being used in filenames generated by the application under attack. 

Remediating Software Supply Chain Vulnerabilities

The following steps, in conjunction with the CVSS, can help to mitigate the risk of vulnerabilities in the software supply chain.

Complacency is the enemy: The biggest issue in securing supply chains is lack of action. Organizations need to place higher priority on securing COTS they use and internally developed applications.

Maintain Visibility: Create and demand from suppliers an accurate and detailed software bill of materials (SBOMs). This serves as an important artifact in securing the software supply chain for IT security teams, customers, and suppliers.

Design for updates: The reality of modern software development is that you can’t assume how long your software will be used for and what vulnerabilities exist in your dependencies or your own code. Therefore, it’s imperative that software and products that include open source, third-party, and/or outsourced software be designed to be updated. As new threats emerge or vulnerabilities are discovered, your product must be updateable in a timely and secure manner.

Secure software delivery: As we have seen in recent attacks, maintaining the security of channels used for installing, patching, and updating software is critical for protecting applications from being compromised. This includes the ability to verify payloads are legitimate.

The CVSS provides a great tool to zero in on the security vulnerabilities in the software supply chain that pose the greatest risk and need immediate attention. However, without visibility into if and where these vulnerabilities exist in the organization, security teams are flying blind. This is where software composition analysis comes into play. By creating an SBOM, organizations can identify open source components and libraries that contain CVSS vulnerabilities, and prioritize their risk management and remediation activities accordingly.

---

Mark Hermeling, senior director of product marketing for GrammaTech, has more than 20 years of experience in software development tooling, operating systems, virtualization and networking technology in safe and secure, embedded and real-time systems. He has worked on projects building automotive, networking, aerospace and defense and industrial devices in North America, Europe and Asia. Mark also worked for Wind River Systems (an Intel Corporation subsidiary), Zeligsoft and IBM Rational.