TRENDING library . The Endor Labs report finds this to be true in fewer than 9.5 % of all vulnerabilities in the seven languages explored — Java , Python , Rust , Go , C #, NET , Kotlin and Scala .
Therefore , reducing the number of remediation activities needed can slash remediation costs by over 90.5 %. Perhaps best of all , this is done with just this one prioritization factor , which makes it by far the most valuable single noise-reduction strategy available anywhere .
The research also turns a spotlight on the speed of response to emerging risks . It reveals that nearly 70 % of vulnerability advisories are published after the corresponding security release , with a median delay of 25 days . This increases the existing window of opportunity for attackers to exploit vulnerable systems .
The problems go even deeper : Across six ecosystems explored , 47 % of advisories in public vulnerability databases do not contain any code-level vulnerability information at all ; 51 % contain one or more references to fix commits ; and only 2 % contain information about affected functions .
This is a serious drawback because the application of program analysis techniques requires code-level information about vulnerabilities , such as the names of affected functions or the fix commits that were developed by open source project maintainers to overcome a vulnerability . Without this kind of information , it ’ s effectively impossible to establish whether known-vulnerable functions can be executed in the context of a downstream application .
In this challenging environment , there are several context-based strategies that deserve attention , such as excluding vulnerabilities that are only relevant for non-production code . However , even different combinations of these approaches are not as crucial as function-level reachability .
The Endor Labs report offers deep insights on a range of issues vital for supply chain security .
These include :
• Pinpointing the Worst Offenders :
Effective prioritization enables organizations to focus on less than 5 % of their total vulnerabilities . Within the Python ecosystem , for example , updating the top 20 components to non-vulnerable versions would remove more than 75 % of all the vulnerability findings . Results with the other languages are almost as good : Java 60 %, and
24 INTELLIGENTCIO NORTH AMERICA www . intelligentcio . com