2016 sets all time high for the number of disclosed vulnerabilities, according to Risk Based Security
RICHMOND, VA, February 6, 2017 — Risk Based Security today announced the release of the annual VulnDB QuickView report that shows 2016 broke the previous all-time record for the highest number of reported vulnerabilities. The 15,000 vulnerabilities cataloged during 2016 by Risk Based Security eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by more than 6,500.
“Another record-breaking year in the number of vulnerabilities disclosed underlines the importance of relying on a proper Vulnerability Intelligence solution. For most companies, tracking vulnerabilities affecting their infrastructure has become a daunting task that is either too big to handle on their own or simply not financially viable compared to out-sourcing the tracking”, said Carsten Eiram, Chief Research Officer for Risk Based Security.
“While never designed for such use, we see too many companies still relying on CVE for vulnerability tracking. Many argue that it is at least better than nothing, but it presents too great a risk for organizations, as it lulls them into a false sense of security by mistakenly having them think they’ve got the most important vulnerabilities covered. Organizations need to understand that this is not remotely close to a feasible solution”, added Eiram.
In fact, almost half (6,659) of the published vulnerabilities in 2016 are not found in CVE/NVD. These include vulnerabilities in prevalent products. Over 1,391 of them received CVSS scores between 9.0 and 10.0. While the number of vulnerabilities has gone up, CVE covered 8.2% less in 2016 compared to their high-mark of 9,088 in 2014. Furthermore, 1,945 of the vulnerabilities in 2016 published with CVE identifiers are still missing details in the CVE database and thus missing from NVD.
The newly released 2016 Year End VulnDB QuickView report from Risk Based Security shows that 20.5% of reported vulnerabilities received CVSS scores between 9.0 and 10.0. This means that not only has the number of vulnerabilities been increasing, but the CVSS scores are also trending higher over the last five years. 48.9% of 2016 vulnerabilities can be exploited remotely and 32.8% of 2016 vulnerabilities had an exploit that was public.
The VulnDB QuickView report also revealed that while relationships between researchers and vendors can at times appear strained, they are continuing to attempt to work together. Vulnerabilities disclosed in a coordinated fashion with vendors rose to 44.9% in 2016.
“From operating systems and software installed on client and server systems to IoT and SCADA devices, vulnerabilities continue to be a major concern. Using metrics to help determine which vendors and products are putting your organization at risk needs to be a key part of your vendor risk management and procurement process.”, says Eiram. “The ability to properly use vulnerability data to help with the decision making process is important and we have ensured this is built into our VulnDB solution.”
About the VulnDB QuickView Report
The VulnDB QuickView report is possible through the research conducted by Risk Based Security. It is designed to provide an executive level summary of the key findings from RBS’ analysis of vulnerabilities disclosed in 2016. Contact Risk Based Security for any specific analysis of the 2016 vulnerabilities.
You can get your copy of 2016 VulnDB QuickView report here:
About Risk Based Security
Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner. In addition, our YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.
VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.
Cyber Risk Analytics (CRA) provides actionable threat intelligence about organizations that have had a data breach or leaked credentials. This enables organizations to reduce exposure to the threats most likely to impact them and their vendor base. In addition, our PreBreach vendor risk rating, the result of a deep-view into the metrics driving cyber exposures, are used to better understand the digital hygiene of an organization and the likelihood of a future data breach. The integration of PreBreach ratings into security processes, vendor management programs, cyber insurance processes and risk management tools allows organizations to avoid costly risk assessments, while enabling businesses to understand its risk posture, act quickly and appropriately to proactively protect its most critical information assets.
YourCISO provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal. YourCISO provides organization ready access to a senior executives and highly skilled technical security experts with a proven track record, matched specifically to your needs. The YourCISO service is designed to be an affordable long term solution for addressing information security risks. YourCISO brings together all the elements an organization needs to develop, document and manage a comprehensive information security program.
For more information, please visit:
or call 855-RBS- RISK