The disaster: Your own website is hacked, customer data flows away, even though your own code has no security gaps. Unfortunately, what sounds like utopia is actually not that unlikely at all. In many cases, this is due to known vulnerabilities, which have even already assigned a CVE ID (Common Vulnerabilities and Exposures). This is a standardized format for identifying and describing vulnerabilities in software and hardware. CVEs help security researchers, IT professionals, and software manufacturers share information about security vulnerabilities clearly and consistently.
This information is published, which appears very dangerous at first glance, but in reality makes a significant contribution to ensuring that all affected parties — including software manufacturers, system administrators and end users — are informed of the vulnerabilities and can react as quickly as possible.
However, these announcements can of course also be viewed by malicious actors. Known vulnerabilities are among the biggest threats to web applications and have been an integral part of OWASP TOP10 Rankings, which provide information on common vulnerabilities and risks for web applications with regular updates.
Information about exploiting the vulnerability is often available shortly after the CVEs and the update have been published. Partially because manufacturers themselves reveal information about the nature of the update. The more severe the vulnerability and more widespread the software is, the greater the likelihood that malicious actors will be able to draw conclusions themselves by analyzing the update and identify and exploit the vulnerability themselves.
The publication of so-called “exploits” (code that exploits a vulnerability) enables even actors with little technical experience to carry out attacks and cause damage. Exploits can be found just by simple Google queries. The first search results include simple scripts that allow the vulnerability to be exploited without deeper understanding.
Note: Exploiting security gaps in foreign systems is prohibited and punishable according to Section 202a StGB !
As of early December 2023, a total of 232,466 CVEs were awarded for known vulnerabilities. In total, over 130,000 vulnerabilities were rated as HIGH or CRITICAL (combined in old v2 and new v3 metrics). These therefore have potentially serious effects on the confidentiality, integrity and availability of the data processed in the applications.
In 2023 alone, 30,000 previously unknown vulnerabilities were publicly communicated through CVEs. Of course, this also affects software components that we use. For example, this concerns TYPO3 (14 CVEs), Laravel (11 CVEs) and Keycloak (10 CVEs).
Even though the increase in safety is not visible at first glance, the effect is anything but negligible. Publicly known and documented vulnerabilities can often be trivially exploited by attackers without technical expertise. The outflow of customer data and sensitive information can result in significant loss of reputation or possibly even severe penalties through regulatory authorities.
For example, if a company is certified in accordance with PCI DSS, known critical vulnerabilities must be remedied within a month. This may include importing updates and mitigating measures. Even the BSI IT basic protection declares that weak points should be addressed promptly. The more critical the vulnerability, the more promptly a corresponding patch should be installed.
For design and implementation, we rely on industry standards and modern frameworks such as Laravel, TYPO3 and Keycloak. The Laravel framework, for example, enables us to use built-in security functions and thus automatically build more secure software. However, Laravel itself is of course not completely free of errors and security gaps. As an open source application, these are continuously discovered and successively closed by people from all over the world — for us, this means the need to regularly import updates and patches.