AppSec Game-Changer #1: Triggerability™

What Are Triggerable Vulnerabilities?

In the ever-evolving landscape of application security (AppSec), Backslash Security has introduced the concept of Triggerability as a pivotal factor in determining the actual risk posed by vulnerabilities. Triggerability refers to vulnerabilities that can be actively exploited by external actors, whether through network access or local interactions. The key distinction here is that a vulnerability is considered "triggerable" when it can be exploited in the real-world context of the application.

Triggerability relies on understanding how a vulnerability interacts with the application’s code and its dependencies. It involves analyzing both the application code and the code of the packages it relies on to identify points where malicious actors can activate these vulnerabilities. This approach moves beyond simply identifying vulnerabilities to assessing their real-world exploitability.

Real-World Examples of Triggerable Vulnerabilities

Let’s explore some well-known vulnerabilities that highlight the importance of Triggerability:

CVE-2024-4879 (ServiceNow Input Validation Vulnerability)

The recently disclosed CVE-2024-4879 serves as a code-level example. This input validation vulnerability in ServiceNow’s codebase is only relevant if external actors can supply crafted input to the affected functions. Without a trigger, the vulnerability poses no real threat.

CVE-2022-22965 (Spring4Shell)

A critical vulnerability in the Spring Framework, CVE-2022-22965, demonstrates the concept of Triggerability. While the vulnerability exists in the framework, it is only exploitable when the consuming application passes dynamic values originating from external actors. Without this interaction, the vulnerability remains dormant.

CVE-2021-44228 (Log4Shell)

Another infamous example is CVE-2021-44228, commonly known as Log4Shell. This vulnerability affects the Log4j library and is exploitable only when the application using the library accepts and processes dynamic input from external sources. Triggerability transforms this theoretical risk into a real-world exploit.

The Universal Importance of Triggerability

Triggerability applies to all types of application vulnerabilities, whether in first-party code or third-party code (OSS packages), regardless of their impact on integrity, confidentiality, or availability. A vulnerability that cannot be triggered by external inputs is effectively a non-issue, allowing security teams to focus their efforts where it matters most.

Backslash to the Rescue

This is where Backslash’s App Graph comes into play. Backslash takes vulnerability detection to the next level by analyzing both first-party and third-party code in depth. Leveraging its advanced App Graph technology, Backslash identifies triggerable vulnerabilities by:

• Mapping the application’s data flow to uncover interaction points.
• Examining external inputs that could activate dormant vulnerabilities.
• Applying its analysis across first-party code and third-party dependencies.

With Backslash, security teams gain a clear picture of exploitable vulnerabilities, enabling them to prioritize remediation efforts efficiently.

Join us

Discover how Backslash can transform your AppSec approach by focusing on what truly matters: triggerable vulnerabilities. Request a Demo Today!

‍