%20Icon.svg){kind=small}
Learn more about how Legit is helping enterprises prevent vulnerabilities in their SDLCs.
Most security teams today are struggling with an influx of vulnerabilities into their software repositories. The teams we talk to are buried in lists of vulnerabilities they will never have time or resources to address, and the stream of incoming vulnerabilities is not letting up. Prevention is key to addressing this problem, and is an area of focus for us at Legit. We recently announced new prevention capabilities in our ASPM platform, some of which developed out of our research into what we call CVRs, or continuously vulnerable repositories.
Different organizations own different amounts of repositories with a variety of vulnerabilities, and new vulnerabilities are introduced into repositories over time. But there are some repositories that are continuously introducing new vulnerabilities – the CVRs.
We at Legit recently analyzed CVRs to understand how they develop, factors influencing them, and how to help our customers identify and prevent them from growing.
CVR Characteristics
To understand CVRs, we first need to define vulnerability streams, which are defined by two main characteristics: the frequency, and the volume of new issues. The values of these two parameters can be determined dynamically in different organizations.
CVRs are defined as repositories with high-frequency stream and are usually a very small fraction of the vulnerable repositories. However, these repositories hold a high number of new vulnerabilities in organizations, and are often the primary source of new application risk.
Usually, the ratio between stream frequency and the number of issues in organizations is distributed in a power law pattern – where a change in one quantity leads to a proportional change in another quantity.
In the graph below, the left side of the power law represents the vulnerabilities of repositories with low stream frequency, which are the majority of new vulnerabilities – but they also belong to a very high number of repositories. However, the right side of the power law represents the vulnerabilities that belong to the CVRs, which are a very small fraction of the repositories, but hold a relatively high number of new vulnerabilities. Bottom line: The CVRs, although small in number, are introducing a disproportionately large number of new vulnerabilities. Identifying these repositories is the first step in a prevention process that would make an impactful change on the organization’s “vulnerabilities tap.”
Simulated Stream/Vulnerabilities Ratio Power Law
The CVR vulnerabilities can be varied in their types, sources, committers, etc. Identifying the characteristics of these vulnerabilities is an important step in preventing software vulnerabilities in an organization.
Prevention Insights Using CVRs
Identifying CVRs sheds light on what an organization’s “vulnerabilities tap” looks like, and can help stop the flow.
For instance, the CVR could belong to specific teams that introduce new vulnerabilities every month, or to repositories that generate the same SAST findings over time due to lack of secure coding practices. The CVR could even stem from faulty configurations, rather than coding practices. In this case, adding PR checks could stop the flow of vulnerabilities. These types of insights can significantly reduce the introduction of vulnerabilities and dramatically affect an organization’s risk level.
Stay One Step Ahead With Legit
This research into CVRs is a part of our continual effort to improve the Legit ASPM platform, particularly its prevention capabilities.
Fixing AppSec issues post deployment is expensive and time consuming, and it pulls development resources away from new capabilities to focus on rework.
The Legit Security ASPM platform is the only solution to address this significant and costly problem wholistically, by helping teams find, fix, and prevent software vulnerabilities.
Learn more about our prevention capabilities.