I had the pleasure of hosting a dynamic webinar with one of the rising stars in ASPM and application security, James Berthoty, founder of Latio tech. We discussed the need to prioritize vulnerabilities and how to tackle this issue with reachability analysis. Mixing Threat intelligence like EPSS, Reachability analysis, exploitation evidence, and network is a key strategy for Application Security Posture Management (ASPM), Cloud-Native Application Protection Platforms (CNAPP), and vulnerability management.
For more research and details on the subject:
- How EPSS and Reach Analysis Work Together in ASPM for Optimized Vulnerability Management
- The Ultimate Guide to Reach. Analysis Which reachability is good for you: Enhancing Code, Library, and Container Security with ASPM
In this blog, we’ll discuss the types of reachability analysis, how Phoenix Security applies these methods, and how tools like network maps and threat intelligence contribute to a robust strategy.
Salient Moments in the Webinar
- [00:01:10] Francesco and James open by discussing why reachability analysis is vital to reducing the overwhelming number of vulnerabilities.
- [00:03:30] Discussion on the two main types of reachability analysis: static and runtime.
- [08:30] James explains how runtime reachability analysis uses real-world data to confirm vulnerabilities.
- [15:31] Francesco dives into how Phoenix Security combines reachability with threat intelligence and network maps to give organizations a clear risk picture.
- [37:30] Final thoughts on prioritization strategies and reachability analysis in the modern enterprise environment.
- [41:41] Various types of reachability analysis summarized
What is Reachability Analysis, and how can it be benefitted using ASPM?
Reachability analysis helps organizations sift through endless vulnerability lists by analyzing the paths a potential exploit could take. Rather than overwhelming security teams with every theoretical risk, reachability analysis identifies vulnerabilities attackers can exploit in the production environment.
Reachability analysis comes in two main forms: Code and Network Reachability.
- 1 ->2 . Static Reachability Analysis: This evaluation evaluates the codebase and libraries to detect vulnerabilities that functions or processes could call.
- 4 Runtime Reachability Analysis: Looks at what is executed or loaded in the application environment, providing a more accurate picture of exploitable vulnerabilities.
Other Elements that influence reachability analysis (3) are CTI and exploitability of the vulnerability.
How Libraries Go to Production: different types of reach hints to Phoenix Security ASPM
Each library and package undergoes checks as applications move from code to production. Here’s how Phoenix Security applies different reachability methods:
1. Static Reachability in Development: This stage identifies vulnerabilities within libraries and functions before they ever run. For instance, if a vulnerable library is imported but not used, static reach may flag it for removal, reducing potential attack paths.
2. Runtime Reachability in Production: Once the code is live, runtime reach analysis helps identify the exploitable vulnerabilities in the active environment. If a library is only running in non-production environments, it’s deprioritized. This dynamic approach reduces false positives and focuses remediation efforts where needed.
3. Combining Threat Intelligence and Network Maps with Reachability Analysis: Phoenix Security takes reachability analysis further by integrating it with threat intelligence (data on known exploits) and network maps. For instance, if a vulnerability in a library is flagged, Phoenix uses network reach analysis to check if the affected area can be accessed from an external network. If combined with threat intelligence showing active exploitation, this vulnerability would be prioritized above others.
The Power of Combining Reachability and Prioritization with ASPM
Reachability analysis isn’t just about detection; it’s about setting remediation priorities. Phoenix Security applies reachability to drive actionable insights through three main prioritization methods:
1. Network reach: This determines whether an internal or external network could access a vulnerable component. Network reachability helps security teams prioritize external-facing risks over internal ones by focusing on vulnerabilities exposed to the outside world.
2. Environmental Context for Dynamic Prioritization: Environmental factors like cloud versus on-premises or containerized setups influence reachability. For example, a vulnerability in a container running an ephemeral service could be deprioritized compared to a long-lived production container.
3. Threat Intelligence Layering: Combining reachability with threat intelligence provides context, allowing teams to understand if a particular vulnerability has known exploits in the wild. Vulnerabilities that are reachable and actively exploited receive higher priority than lower-risk issues.
Container Versioning and focusing on images that get deployed; not all the images
Container Image Throttling: Focusing on Deployed Images
Container image throttling is essential for streamlining security in environments where container proliferation is high, and scanning everything would be inefficient. The key to effective image throttling is to prioritize scans for container images that are actively deployed and powering running instances, rather than scanning every image stored in a registry. This targeted approach aligns with modern security practices, where efficiency and noise reduction are paramount.
Linking Active Containers to Deployed Images
The main idea behind container image throttling is to link active containers directly to their deployed images. By monitoring the images that are actually running in the production environment, security teams can focus on vulnerabilities with potential real-world impact. This tactic reduces false positives and deprioritizes vulnerabilities that would only impact non-running or archived images, giving teams a more accurate security assessment of the live production environment.
Limiting Noise in Container Scanning
Scanning all container images—whether or not they’re deployed—can lead to overwhelming results, most of which may not be immediately relevant to the production environment. Throttling scans to include only images linked to active containers cuts down on this noise, allowing security teams to focus remediation efforts on vulnerabilities affecting actively running services.
Key Takeaways: Why all this matters in vulnerability prioritization
Reachability analysis enables security teams to streamline their focus by narrowing down on vulnerabilities that truly matter. The approach goes beyond simple vulnerability scanning by combining real-world usage data, network accessibility, and threat intelligence, turning a reactive approach into a proactive defense mechanism.
Wrapping Up
Reachability analysis, particularly when combined with threat intelligence and network insights, allows security teams to be super-efficient in vulnerability management and zero in on high-risk vulnerabilities without drowning in false positives. Phoenix Security’s code-to-cloud visibility is a prime example of how ASPM and CNAPP solutions are revolutionizing vulnerability management. For organizations looking to build a robust security posture, incorporating these advanced forms of reachability analysis is no longer a luxury but a necessity.
Would you like more in-depth coverage of the specific reachability methods or any further keyword integration?
Minimize the vulnerability risk and act on the vulnerabilities that matter most, combining ASPM, EPSS, and reachability analysis.
Organizations often face an overwhelming volume of security alerts, including false positives and duplicate vulnerabilities, which can distract from real threats. Traditional tools may overwhelm engineers with lengthy, misaligned lists that fail to reflect business objectives or the risk tolerance of product owners.
Phoenix Security offers a transformative solution through its Actionable Application Security Posture Management (ASPM), powered by AI-based Contextual Quantitative analysis. This innovative approach correlates runtime data, combines it with EPSS and other threat intelligence, and applies the right risk to code and cloud, delivering a prioritized list of vulnerabilities.
Why do people talk about Phoenix Security ASPM?
• Automated Triage: Phoenix streamlines the triage process using a customizable 4D risk formula, ensuring critical vulnerabilities are addressed promptly by the right teams.
• Actionable Threat Intelligence: Phoenix provides real-time insights into vulnerabilities’ exploitability, leveraging EPS and combining runtime threat intelligence with application security data for precise risk mitigation.
• Contextual Deduplication with reachability analysis: Utilizing canary token-based traceability for network reachability and static and dynamic runtime reachability, Phoenix accurately deduplicates and tracks vulnerabilities within application code and deployment environments, allowing teams to concentrate on genuine threats.
By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains current and focuses on the key vulnerabilities.