No Sign of Slow Down in Vulnerability Disclosure

No Sign of Slow Down in Vulnerability Disclosure

As more vulnerabilities are reported, efforts to patch them can't keep pace. Still, the number of publicly disclosed vulnerabilities continues to rise. In fact, according to the 2018 Q1 QuickView VulnDB report from Risk Based Security, the number of vulnerabilities disclosed in Q1 2018 was at an all-time high. 

The report looked at 5,375 vulnerabilities published during the first three months of 2018 and found an increase of 1.8% over the same period last year. Of all the Q1 disclosures, eight vendors accounted for 22.9% of the vulnerabilities.

Risk Based Security published 1,790 more vulnerabilities than common vulnerability exposures (CVEs) in Q1, suggesting that "organizations relying on CVE or sources solely obtaining data from CVE are missing a significant number of disclosed vulnerabilities," the report said.

Additionally, web-related vulnerabilities represent almost half (47.5%) of all Q1 2018 vulnerabilities and 49.1% of all publicly disclosed vulnerabilities can be remotely exploited.

"As more and more vulnerabilities are reported, organizations are forced to spend an increasing amount of time and resources to stay properly informed about the weaknesses affecting their IT infrastructure and applications," the report said. 

All the while, organizations grapple with vulnerability intelligence. Vulnerability disclosure and the issue of how organizations can better manage vulnerabilities are what many new research reports are looking to address of late.

Another report released today from Kenna Security and Cyentia Institute suggests that not every vulnerability presents a risk because not every vulnerability equates to an exploit. The research report, Prioritization to Prediction: Analyzing Vulnerability Remediation Strategies analyzed five years of historical vulnerability data with data points compiled from over 15 sources, including 94,597 CVEs from Mitre, and confirms the findings that the volume and velocity of vulnerabilities are rapidly increasing.

In 2017, businesses were challenged with addressing an average of 40 new vulnerabilities every day, and 2018 is expected to meet or exceed those numbers. Yet "out of the thousands of new vulnerabilities published every year, the vast majority (77%) never have exploits developed, and even fewer (less than 2%) are actively used in an attack," the reported stated.

“Effective remediation depends on quickly determining which vulnerabilities warrant action and which of those have highest priority, but prioritization remains one of the biggest challenges in vulnerability management,' Karim Toubba, CEO, Kenna Security said in a press release. “Businesses can no longer afford to react to cyber threats, as the research shows that most common vulnerability remediation strategies are about as effective as rolling dice.”

Source: Information Security Magazine