In the ever-changing world of cyber security, “reachability” is quickly becoming the most important buzzword. It’s a shorthand term for being able to spot exploitable vulnerabilities in software ecosystems. In this age where organizations get hit by acute attacks every day, the need to get reachability right is more critical than ever before. This article dives into the different forms of runtime reachability. It further talks about their relevance to cybersecurity and how they assist security engineers in prioritizing vulnerabilities.
Reachability is all about determining what vulnerabilities can actually be exploited at real time. By using different types of reachability, security verification teams industrially determine which vulnerabilities actually threaten the security of their environments. With this knowledge, they can deprioritize false positives, saving their resources for the most impactful tasks and strengthening their security posture.
James Berthoty, an expert in the field, emphasizes the ultimate aim of reachability:
“The real goal is to get as close as possible to ‘exploitability.’” – James Berthoty
Runtime reachability is categorized into three distinct types: Loaded, Network, and Function execution. Each type offers unique benefits and limitations.
“Only runtime reachability will get us there.” – James Berthoty
The Different Types of Runtime Reachability
Loaded reachability mostly identifies if a specific library is actually currently loaded in the application’s environment. That kind of capability is extremely important. This allows security teams to easily cut the noise from false positives from libraries that are clearly not in use. It is far from perfect. It may show you what libraries your code is using. It cannot tell you if functions within that library are being used in legit ways.
Network reachability has gained popularity with the rise of Cloud-Native Application Protection Platforms (CNAPPs). This type evaluates which services link to one another, and how they communicate. It gives you a great indication of just how exposed a service could be to the internet. To the service’s one major deficiency, we can’t tell how many hops it has from outside. This can mask the true extent of risk.
Function execution reachability provides valuable data-driven context. It sheds light on the capabilities that exploits are actually aimed at compromising. This type is only supported by a handful of vendors (Raven, Miggo, Oligo, Kodem). By pinpointing which functions are at risk of being executed, function execution reachability can provide huge prioritization power to security engineers.
Of the various forms of reachability, function-level execution has been identified for providing the highest true positive value. This approach helps security engineers focus their efforts on the most critical vulnerabilities by highlighting specific functions that may be exploited.
The Value of Function-Level Execution
Loader functions
Libraries can easily encompass hundreds or thousands of these functions. By figuring out what functions are actually being called, you can save yourself a lot of false positive noise. Most known exploits target specific functions rather than attempting to attack a full dynamic library. This is what makes function execution reachability a powerful weapon in the ongoing war against cyber threats.
Loaded reachability provides information on whether a library is loaded. While useful, it lacks the granularity needed for detailed security evaluations. Function execution reachability allows security teams to focus on the most dangerous parts of their codebases.
As simple as it sounds, reachability is a complex concept, albeit an important one. The term has been popularized extensively by vendors, but it can mean something entirely different from platform to platform and context to context. As organizations adopt reachability measures, they should start by taking the understanding that not all runtime reachability solutions are the same.
The Complex Nature of Reachability
We have not even touched upon how complexity of reachability grows when you put multiple layers of cloud and application environments in between. Organizations need to understand these complexities to better understand how to manage vulnerabilities and improve their security posture.
Security professionals can craft a better strategy for vulnerability management by taking advantage of each reachability type’s unique power. These include loaded, network, and function execution. Knowing the limitations and strengths of each type will help ensure security teams are able to focus their efforts to better protect against threats.
By leveraging the unique capabilities of each type of reachability—loaded, network, and function execution—security professionals can devise a more effective strategy for vulnerability management. Understanding the limitations and strengths of each type ensures that security teams can prioritize their efforts appropriately.