Reducing Software Exploit Risk

Sixteen years ago, Cisco discovered a vulnerability. (Ok, not exactly news.) But this was an unusual problem, one that had something to do with Protocol 103. (I’ll save you the lookup: 103 is Protocol Independent Multicast or PIM – and no, I don’t know what the hell that is either.) OK, anyway, after they found the issue, Cisco must have decided to test that protocol on the Internet or tell some friends to do it. Or whatever. And now here’s the cool part:

Protocol 103 is usually quiet, so when the testing ensued – researchers, practitioners, and anyone else bored enough to be watching Internet protocols, noticed the thing wake up. It would be like finding a brand new broadcast channel on some high numbered UHF channel on your old television set. You just didn’t expect to find something there. So, in the case of Protocol 103, new traffic emerged. I doubt anyone knew what it was, but it was there.

So, when Cisco made their announcement several days later, researchers – including the great Brian Rexroad at AT&T, along with others – put two and two together, and realized what must be going on. It was a slick piece of investigation, but it also suggested that maybe it would have been possible to have anticipated this impending announcement and inevitable patch. It was the first time I’d personally wondered if you could patch in advance of a patch.

This idea of super-patching came up during a discussion this week with Jerusalem-based Vicarius. The company develops a security solution called Topia that uses static and dynamic means to identify and fix exploitable vulnerabilities in software. This includes software being purchased, as well as developed in-house, and in both cases, one of the benefits involves reducing the time window between exploit discovery and software patch.

“Our mission is to fix the endless loop of finding and fixing vulnerabilities,” explained Michael Assraf, Co-Founder and CEO. “We are focused on addressing the unfair advantage that exists for bad guys in software, and this includes dealing with both known and unknown problems. What we provide our customers is a layer of software protection before patches are made available from vendors or developers in response to some discovered problem.”

The Topia platform is described in the context of three important protection tasks: Map, Reduce, and Eliminate. The mapping task is supported by so-called capability-driven security, which involves automated analysis of binary code to detect evidence or patterns of potential vulnerabilities. This mapping task can be done with an on-premise Topia engine, or can be supported by a dedicated Vicarius software instance in the AWS cloud.

The reduction and eliminate tasks come next, and are supported by a prioritization engine and dynamic policy engine. These tasks offer contextual data about software exploits, and generate usage routes for software being analyzed. “We can find vulnerabilities in applications at scale with these engines,” explained Assraf. “And we coordinate the map, reduce, and eliminate functions with well-known frameworks such as MITRE ATT&CK.”

A big part of the Vicarius message and value proposition lies in the Topia platform’s ability to decrease an organization’s dependency on manual patching. This is a powerful case for both enterprise teams and MSSPs supporting customers. In this sense, Vicarius positions itself as competition for virtual software patching systems – with the big advantage, perhaps, of being more proactive and real-time than patching, virtual or otherwise.

But my observation is that if the Topia platform can accurately detect vulnerabilities in real-time, then the capability should be embedded into the DevSecOps lifecycle. The security goal for any modern, world class SDLC is to find and remove vulnerabilities quickly enough to not slow down the fast pace of your development, which implies the need for automation. The Vicarius solution seems like a good future option for this. We'll keep a watch.

Take some time this week and give Assraf and his team a call, and ask them for a demo of the Topia platform. I think that whether you are interested in identifying software vulnerabilities post-deployment onto your premise or cloud, or during your DevSecOps process, you’ll find their security solution to be useful. And as always, please share what you learn after speaking with the company.