Effective Usage Analysis: The Shortest Path Between a Developer and Accelerated Product Releases

Effective usage analysis can significantly accelerate product releases by identifying and prioritizing effective vulnerabilities, eliminating inefficiencies, and improving resource utilization.

• Modern software applications have thousands of dependencies between open source and proprietary components, many of which have security vulnerabilities
• 70% of reported vulnerabilities in real-world applications cannot be referenced from application code, effectively posing no risk
• Organizations often prioritize vulnerability handling based on reported severity, leading to an inordinate amount of time spent on ineffective vulnerabilities
• Effective usage analysis facilitates the identification of effective and ineffective vulnerabilities, enabling organizations to focus on real risks and expedite product delivery
• Effective usage analysis improves prioritization, eliminates inefficiencies, and helps organizations realize better scheduling goals

The study found that a significant number of reported vulnerabilities in Java and other programming languages were ineffective and did not pose a risk. By prioritizing effective vulnerabilities, organizations can save time and focus on real risks, leading to faster product releases. Additionally, effective usage analysis can provide developers with pinpointed information on where to look for vulnerabilities, improving remediation efficiency.

Abstract:Modern software applications can feature thousands of direct or indirect code dependencies between proprietary and open source software components, many of which have security vulnerabilities.Vulnerability scanning commonly reports a gigantic number of findings that demand attention by development teams. Our study, based on the review of hundreds of open source projects in Java, .NET, Python, and JavaScript, shows that about 70% of the reported vulnerabilities in real-world applications cannot be referenced from application code, thereby effectively posing no risk. However, many organizations establish the urgency of vulnerability handling based on the vulnerability’s reported severity. In light of the large number of reported vulnerabilities that are not ‘effective,’ security and development personnel often find themselves investing an inordinate amount of time addressing alerts that should have been prioritized in the first place.Knowledge of a vulnerability’s ‘effectiveness’ is extremely valuable to organizations. It enables organizations to eliminate a substantial portion of reported security risks with 100% accuracy to concentrate on a significantly smaller number of ‘effective’ vulnerabilities. This enables organizations to save precious time, focus their development teams’ attention on real risks, apply remediation efficiently, and expedite product delivery.This session presents how prioritization based on effective usage analysis enables organizations to confirm which reported vulnerabilities can be exploited, significantly reducing the number of vulnerabilities developers must remediate.