The 2024 Open Source Security and Risk Analysis (OSSRA) report by Black Duck Software (ex Synopsys Software Integrity Group) found that 96% of applications contain open-source components, with an average of 526 components per application. Hence, it becomes critical to use a modern Software Composition Analysis (SCA) solution to manage large volumes of open-source components to not only generate a Software Bill of Materials (SBOM) but also reduce the “noise” often associated with application security tools. Snyk also made similar observations in their 2023 State of Open Source Security report, where over 60% of respondents indicated that automation security tools increased the number of false positives in vulnerability reports. Hence, even though Software Composition Analysis (SCA) solutions aim to simplify the lives of application security engineers, the hundreds of false positives overburden security teams, as they must now filter an overwhelming number of alerts to identify real risks.
The “Noise” Problem with Traditional SCA Tools
Most SCA tools scan codebases for known vulnerabilities in open-source components by identifying components present in the manifest file or dependency list without analysing how the vulnerable component is used in the application. As a result, every component declared in the manifest file is listed as a potentially vulnerable component, regardless of whether the vulnerable component is ever executed. Hence, security teams often encounter alert fatigue while reviewing the bill of materials for an application, as many components result in false positives that could be used more actively in the codebase.
Reachability analysis offers a more focused approach to vulnerability management. Instead of flagging every potential issue, reachability analysis determines whether the vulnerable code is actually reachable by the application’s execution paths. Function-level reachability effectively marries Static Application Security Testing (SAST) with software composition analysis (SCA), which identifies whether a vulnerable function within a library is used in an application.
Reachability analysis offers a solution by providing the necessary context to distinguish between exploitable vulnerabilities and those that are not. A common method of analysing reachability is by generating call graphs that map the flow of function calls within an application; reachability analysis identifies whether the application’s code interacts with the vulnerable parts of a third-party dependency. If a vulnerability exists in a library but the application never uses that part of the code, the vulnerability is considered low-risk or even irrelevant. This significantly reduces the noise of false positives, allowing security teams to focus on vulnerabilities that matter.
Further, consider a vulnerability in a component that your application imports but never actually uses the imported component actively in the codebase. Traditional SCA tools would flag this as a critical issue, creating unnecessary noise. Reachability analysis, however, would trace the application’s code paths and determine whether the vulnerable function is ever called. If it’s not, the vulnerability is deprioritised, saving time and effort.
Benefits of Reachability Analysis
Reachability analysis helps organisations focus on the vulnerabilities that are most likely to be exploited. By identifying which vulnerabilities are reachable, security teams can not only prioritise high-risk issues but also by filtering out vulnerabilities that aren’t reachable; reachability analysis significantly reduces the volume of false positives generated by automated tools. This streamlines the workflow for security teams, allowing them to spend more time on real threats. Hence, Reachability analysis allows security teams to focus on the vulnerabilities that actually matter, reducing the time and resources spent on triaging false positives. This can result in cost savings and more efficient security operations.
Conclusion
In summary, Reachability analysis provides a more precise approach by determining whether vulnerabilities are actually exploitable with an exploitable call path within the application. By reducing the number of false positives and focusing on real threats, reachability analysis helps security teams prioritize their efforts, streamline their workflows, and ultimately allocate resources more effectively.
