Nearly 10,000 Vulnerabilities Disclosed So Far In 2017 – Major Vendors Continue To Be Affected
July 26, 2017 • RBS
2017 appears to be on pace to exceed 2016’s high mark of 15,669 disclosed vulnerabilities, according to Risk Based Security.
Risk Based Security today announced the release of its Mid-2017 VulnDB QuickView report that shows there have been 9,690 vulnerabilities disclosed through June 30th. This is the highest number of disclosed vulnerabilities at the mid-year point on record. The 9,690 vulnerabilities cataloged during the first six months of 2017 by Risk Based Security eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by over 4,000.
“Another important statistic is that of the 4,092 vulnerabilities not reported by CVE/NVD, 3,806, or 93.0%, have CVSSv2 scores of 4.0, (Medium Severity) and above. This is highly problematic since PCI compliance requires medium severity vulnerabilities and above to be mitigated. If your organization or the vulnerability scanning company you rely upon is using CVE/NVD for vulnerability intelligence your infrastructure is at risk”, said Carsten Eiram, Chief Research Officer for Risk Based Security.
“With reported data breaches on the rise in 2017 at nearly 2,300 through June, and 41% of those breaches caused by hacking, this is no time to use an inferior vulnerability intelligence feed to protect your assets”, added Eiram.
The newly released 2017 Mid-year 2017 report from Risk Based Security shows that 21.1% of reported vulnerabilities received CVSSv2 scores between 9.0 and 10.0, nearly identical to the percentage observed in 2016. This means that not only is the number of vulnerabilities on the rise, but the severity of the vulnerabilities disclosed remains high.
The VulnDB QuickView report also revealed that while relationships between researchers and vendors can at times appear strained, they are continuing to attempt to work together. Vulnerabilities disclosed in a coordinated fashion with vendors remains high at around 42%, just slightly lower than 2016. “One final point about the criticality of having access to comprehensive and timely vulnerability intelligence, of the vulnerabilities not reported in CVE/NVD in 2017, 47.4% have a publicly disclosed exploit or sufficient details to trivially create one.”, says Eiram.
About the VulnDB QuickView Report
The VulnDB QuickView report is possible through the research conducted by Risk Based Security. It is designed to provide an executive level summary of the key findings from RBS’ analysis of vulnerabilities disclosed in 2017. Contact Risk Based Security for any specific analysis of the 2017 vulnerabilities of specific interest to your organization. You can get your copy of the 2017 Mid-year 2017 VulnDB QuickView Report.
About Risk Based Security
Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner.
In addition, our YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.
VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.
Cyber Risk Analytics (CRA)
Cyber Risk Analytics (CRA) provides actionable threat intelligence about organizations that have had a data breach or leaked credentials. This enables organizations to reduce exposure to the threats most likely to impact them and their vendor base. In addition, our PreBreach vendor risk rating, the result of a deep-view into the metrics driving cyber exposures, are used to better understand the digital hygiene of an organization and the likelihood of a future data breach.
The integration of PreBreach ratings into security processes, vendor management programs, cyber insurance processes and risk management tools allows organizations to avoid costly risk assessments, while enabling businesses to understand its risk posture, act quickly and appropriately to proactively protect its most critical information assets.
YourCISO provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal. YourCISO provides organization ready access to a senior executives and highly skilled technical security experts with a proven track record, matched specifically to your needs.
The YourCISO service is designed to be an affordable long term solution for addressing information security risks. YourCISO brings together all the elements an organization needs to develop, document and manage a comprehensive information security program.