Industrial control systems and the Internet-of-Things are the industries most likely to have unknown vulnerabilities in their products, because their development processes are the least mature, according to data from more than 4.8 billion automated tests conducted by clients of security-services firm Synopsys.
The data comes from fuzz testing, or fuzzing, an automated process that systematically sends data to devices and systems with the goal of causing errors in a targeted network protocol. Overall, the testing of more than 250 protocols saw the first failure within 1.4 hours on average.
Yet, the time to first failure (TTFF) was highly protocol dependent. One niche technology used by Internet of Things (IoT) and industrial control system (ICS) manufacturers failed within 6.6 seconds.
Because the software defects were found during testing, companies were able to fix the issues. Yet, the data shows that IoT and ICS developers are more likely to have errors in their protocols and code, an indication that their processes are less technically mature. The trend presumably extends to companies that are not regularly using fuzz testing to find issues and will therefore likely have vulnerabilities in their code, Jonathan Knudsen, security strategist with Synopsys, told eWEEK.
“If you think about ICS, IoT and even healthcare systems, they are used to running on some factory floor or closed environment, so everyone is focused on functionality,” he said. “And then the internet happened and we started putting everything on the global network—exposing these things to the internet means we see a lot of flaws and a lot more threats.” The data suggests that certain industries are less mature and adopt less vetted—likely, newer—protocols.
For example, the Session Initiation Protocol (SIP) for internet messaging, telephony and video conferencing, however, is less mature. The SIP User Agent Server (UAS) protocol had a 0.3 percent failure rate among more than 100 million tests.
While that rate seems low, it means that the tested software failed more 320,000 test cases. By comparison, the address resolution protocol (ARP) is a mature standard and no flaws were found in more than 340,000 tests.
Fuzz testing only identified likely software issues and typically is unable to determine whether the issues are exploitable. In many cases, the software defects may not truly be a vulnerability. Companies, however, should fix them anyway, Knudsen said.
“The first question is what are the dangerous ones?” he said. “And what we found over the years is just fix everything. Determining exploitability is hard, and it is time consuming. Even if you don’t think a bug is exploitable, some teenager might find, down the road, a way to exploit it.”
Overall, as companies mature, they will broaden the focus of their development efforts from creating purely functional code to creating software that has no known defects, Knudsen said.
“The short game is all about functionality, but the long game is about worrying about whether your product has a security flaw and that could cause reputation damage,” he said. “As with all industries, as they mature, they are becoming more concerned about how they write their software, and that reduces their overall cost and greatly reduces their risk. “