BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Snyk Releases Enhanced Vulnerability Prioritization Features

Snyk Releases Enhanced Vulnerability Prioritization Features

This item in japanese

Snyk has announced the release of a number of new features to simplify prioritizing security vulnerabilities. This includes a new, proprietary algorithm to assess and provide a score for each identified issue. This approach takes into account the maturity of the exploit and can analyze if the affected code is reachable through application execution. The release also includes a new feature for identifying vulnerabilities in Kubernetes workloads.

The new release, bundled as developer-first prioritization capabilities, is designed to simplify and improve upon common prioritization methods. The priority score system processes a number of factors including the CVSS score, the availability of a fix, the age of the exploit, and its reachability to produce a priority score ranging from 1 to 1000. This score is calculated on both security vulnerabilities and license issues within the application repository.

Part of this analysis includes assessing the exploit maturity. This measure helps indicate whether an exploit for the vulnerability exists and how easily it can be leveraged. There are three levels within this assessment: Mature, indicating a published exploit exists; Proof of Concept, indicating a theoretical exploit exists; and No Known Exploit, indicating there is no known publicly available exploit. Exploit maturity is available within all Snyk plans.

Daniel Berman, product marketing director at Snyk, shares that only:

10% of Java vulnerabilities, for example, have an exploit. But a deeper analysis reveals that only 36% of these exploits are actually "mature", pose a real and present significant danger, and should, therefore, be placed on the top of the priority list.

The new reachable vulnerabilities analysis helps to determine whether vulnerable functions are reachable during runtime by application code. The analysis creates a call graph by mapping out the application code and specific interactions with its open source dependencies. This call graph is then correlated with Snyk's vulnerability database and used to determine if data flow through the application can reach the vulnerable functions. Reachable vulnerabilities is currently in beta for all Snyk plans and only available for Java (Maven) projects.

Within the UI, the open vulnerabilities can be filtered and sorted by all of these statuses. The reports are also available via the Snyk API.

Priority score filter within the Snyk UI

The priority score filter within the Snyk UI (source: Snyk)

 

Berman explains that the new priority score system looks to address common issues with CVSS including how "the standard [can be] difficult to decipher and will sometimes result in misleading scores". CVSS or Common Vulnerability Scoring System, is a standard approach for assigning severity scores to vulnerabilities. While the base metrics focus on addressing severity only, there are temporal and environmental assessments available that factor in availability of mitigations and the scope of impact within an organization.

The misleading scores can be a result of overreliance on only the base metric of CVSS while excluding the temporal or environmental analysis. As the NIST implementation guide states: "A reliance on only the CVSS base metrics without accounting for temporal aspects or environmental specific circumstances of a vulnerability may lead to organizations improperly measuring the severity of a vulnerability."

This release also introduces a new Kubernetes analysis that can import and test running workloads and identify vulnerabilities within the images and configurations. Once imported, it will continue to monitor workloads to identify new vulnerabilities. This feature is available within all Snyk paid plans.

These new prioritization features are available now within all plans for Snyk: Free, Standard, Pro, and Enterprise. However, the reporting and API for the priority score feature is only in Standard and up plans.

Rate this Article

Adoption
Style

BT