ReversingLabs Analysis Reveals Need to Expand National Vulnerability Database to Include Emerging Software Supply Chain Flaws

Findings show flaws in open source contribute to a sharp rise in reports to the National Vulnerability Database in 2022; Research demonstrates how emerging software supply attacks warrant new considerations for the NVD — and organizations’ approach to software security


CAMBRIDGE, Mass., Aug. 11, 2022 (GLOBE NEWSWIRE) --  ReversingLabs, the leader in software supply chain security, today released a new research report titled, "NVD Analysis 2022: A Call to Action on Software Supply Chain Security," that predicts 2022 will exceed the previous record for new vulnerabilities reported to the National Vulnerability Database (NVD) — a record that was set in 2021. The analysis predicts that more than 24,000 CVEs (common vulnerabilities and exposures) will be registered with NVD in calendar year 2022, a 22% increase since 2021.

But the surge in new CVEs reported to the NVD is less reflective of a decline in software quality than to the broader scope of the NVD and the growing number of companies and countries participating as CVE Numbering Authorities (CNAs), ReversingLabs analysis concludes, based on research conducted by Lemos Associates.

For application development teams and those responsible for software security, however, a notable rise in software supply chain attacks should serve as a call to action. It is also a call for reform. The NVD is a critical resource for both software development and security organizations; its scope should expand beyond common software vulnerabilities on legacy platforms to better reflect the breadth of security exposures (the “E” in CVE) — including malware injection, software tampering and secrets exposure, which threaten software supply chain integrity.

Among the key findings of ReversingLabs' new report:

  • Vulnerability reports to reach new high in 2022, up 22%: MITRE Corp's Vulnerabilities and Exposures list, which is part of the National Institute of Standards and Technology's (NIST) National Vulnerability Database, is accelerating. According to ReversingLabs, if the number of reports keeps pace with the first half of the year, software companies and maintainers will likely have to contend with almost 24,500 reports in 2022 — a 22% increase over the previous year.

  • The number of vulnerabilities will continue to grow: This rise is being driven by two factors: a growing number of companies and countries participating in the CVE program; and the number of projects — especially open source projects — covered by CVE Numbering Authorities.

  • Open source is becoming a preferred target: While Linux, Android, Windows, Mac, and iOS attract the most research and resulting CVEs, open-source software hosted on public repositories as well as tools and platforms used by development teams are becoming a point of focus for both researchers and attackers, making platforms like GitLab a top source of new, non-OS-linked CVEs in the first half of 2022.
  • Software supply chain attacks surge: Attacks on software development pipelines and code repositories are on the rise. For example, ReversingLabs data shows attacks on the popular software package repositories npm and Python Package Index (PyPI), spiked 289% in the last few years, from 259 in 2018 to 1,010 in 2021. An increase in vulnerabilities in repositories undermines supply chain security, giving rise to attacks on these platforms. ReversingLabs data finds cumulative software supply chain attacks since 2010 totaling more than 6,000 incidents.

  • NVD needs to evolve to stay relevant. The NVD is expanding as open source maintainers as well as new application and platform providers join the CNA mix. However, ReversingLabs’ analysis found that the NVD is not keeping pace with vulnerabilities being collected outside the CVE process. To remain relevant, the NVD should expand to incorporate vulnerabilities from common DevOps tools and platforms that are more frequently becoming the targets of malicious actors.

  • Software security teams need to expand their approach. Software development teams and security teams responsible for software security need to shift their focus beyond vulnerabilities on common platforms to be attuned to emerging software supply chain risks in open source repositories, CI/CD tools and platforms and more.

  • Software supply chain trust is key. While many tools designed to help secure software-development pipelines focus on rating the projects, programmers, and the open-source components and their maintainers, recent events — such as the emergence of “protestware” like the politically motivated changes to the node.ipc open source software or the hijacking of the popular ua-parser-js project by cryptominer — underscore that seemingly secure projects can be compromised, or otherwise pose security risks to organizations. "As long as we keep ignoring the core of the problem—which is how do you trust code—we are not handling software supply chain security," said Tomislav Peričin, co-founder and chief software architect at ReversingLabs.

ReversingLabs' full report, "NVD Analysis 2022: A Call to Action on Software Supply Chain Security," contains full details on the research and is available now. To learn more about the findings, you can also access the report highlights and infographic.

About ReversingLabs
ReversingLabs empowers modern software development and security operations center teams to protect their software releases and organizations from sophisticated software supply chain security attacks, malware, ransomware, and other threats. 

The ReversingLabs Titanium Platform analyzes any file, binary, or object, including those that evade traditional security solutions. It's a hybrid-cloud, privacy centric, platform that unifies Dev and SOC teams with transparent and human readable threat analysis, arming developers, DevSecOps, SOC analysts and threat hunters to confidently respond to software tampering and security incidents. 

ReversingLabs data is used by more than 65 of the world's most advanced security vendors and their tens of thousands of security professionals. ReversingLabs enterprise customers span all industries, leveraging integrations with popular DevSecOps and SOC platforms that enable teams to access the analysis they need to make quick security verdicts, eliminate threats, and release software with confidence.

Media Contact:
Doug Fraim, Guyer Group
doug@guyergroup.com

A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/74e57a2c-4566-40ec-9fef-075668cf9fa2


Infographic-ReversingLabs-NVD-Analysis-2022-A-Call-to-Action-on-Software-Supply-Chain-Security (1)