Featured image of post Where do vulnerabilities come from?

Where do vulnerabilities come from?

The sources of vulnerabilities in any application, that your security program should address

Ask a software engineer what comes to mind when they think about security, and chances are they will tell you about SQLIs and web shells.

Security is a circus, and we all want to see the attractions. — Stefano Zanero

While these topics are definitely exciting and fun to find and think about, the reality of building secure systems goes beyond the shiny realm of ; DROP TABLE users;. For systems to be secure, they need to be robust against attacks, at multiple levels.

Where do vulnerabilities come from?

To answer this simple question, we’ll go over the areas where vulnerabilities may arise, in any given system. The adressed areas are mutually exclusive & collectively exhaustive.

The answer

As we see it, a socio-technical information processing system may be vulnerable at 5 different levels.

Diagram

Layer Examples of vulnerabilities Examples of possible mitigations
System feature No fine-grained RBAC; password reset links that don’t expire Threat modelling; design reviews;security by design & default
First party code Any type of vulnerability SAST; DAST
Third party code Any type of vulnerability SCA; Container scanners; Auto-updates
Platform Misconfigured servers; secrets leaks CSPM; secrets observability; patch management
Organisation Members of the organisation responsible for the system, stealing data or sabotaging it RBAC; security monitoring; background checks

Of course, the above is merely a simplified view of the bigger picture. The efforts you’ll deploy and tools you’ll choose to robustify each layer will depend on your available resources and risk appetite. In any case, no solution will ever be able to cover all threats, so a dash of common sense and actual industry experience are mandatory too.

Starting point

It’s crucial to keep in mind that attackers only need one attack path to compromise the systems we care about. So we, defenders, need to constantly patrol our entire estate. We can’t afford to erratically wander about the place, and in my opinion, knowing where our vulnerabilities come from sets us on the right path.