No-Shock: Worst Year For Vulnerabilities Already – Only Through Q3 2017
November 14, 2017 • RBS
2017 has officially become the worst year on record with over 16,006 disclosed vulnerabilities, according to Risk Based Security.
Risk Based Security today announced the release of its Q3 2017 VulnDB QuickView report that shows there have been 16,006 vulnerabilities disclosed through September 30th this year. This is the highest number of disclosed vulnerabilities at the end of the third quarter on record and represents a 38% increase over the same period in 2016.
In addition, cataloged vulnerabilities in the first nine months of 2017 have exceeded the total vulnerabilities for all of 2016 (15,832). The 16,006 vulnerabilities cataloged by Risk Based Security’s VulnDB research team eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by 6,295.
“When hearing that so many vulnerabilities are missing from CVE/NVD, most security professionals want to justify the gap by trying to convince themselves that the vulnerabilities missed can’t possibly impact their organization and if they do they must be low risk. However, just as our previous reports have indicated this isn’t the case. 44.1% – over 2,700 – of the vulnerabilities not published by NVD/CVE have a CVSSv2 score between 7.0 and 10 which include widely deployed software used by many organizations. Any security product or tool that relies on CVE/NVD is putting your organization at serious risk.”, said Jake Kouns, Chief Information Security Officer for Risk Based Security.
“As Equifax dominated the data breach headlines, it was revealed that due to a series of delays they were unable to patch the exploited flaw, now commonly known as Struts-Shock, in a timely fashion. What the media missed is that there have been a total of 75 vulnerabilities in Apache Struts, and 5 new vulnerabilities since Struts-Shock was disclosed. It makes you wonder if there were any other delays in correcting those issues as well, and if Equifax has additional unpatched vulnerabilities”, added Kouns.
The newly released 2017 Q3 2017 report from Risk Based Security shows that 39.9% of total reported vulnerabilities received CVSSv2 scores above 7.0. This means that not only is the number of vulnerabilities on the rise, but the severity of the vulnerabilities disclosed remains high. What is more concerning for organizations is that 31.6% of the vulnerabilities disclosed have public exploits available and 47.9% can be exploited remotely.
The VulnDB QuickView report also highlights the relationships between researchers and vendors, showing that they are continuing to work together. Vulnerabilities disclosed in a coordinated fashion continues to be around 43%, on par from the mid year report.
In addition, 6.1% of the vulnerabilities disclosed in software products were coordinated through vendor and third-party bug bounty programs. “While our proprietary Vulnerability, Timeline, and Exposure Metrics (VTEM) show that not all vendors are prioritizing and fixing vulnerabilities as quickly as we would prefer, the good news is that 75.8% of 2017 vulnerabilities through September do have a documented solution”, says Kouns.
About the VulnDB QuickView Report
The VulnDB QuickView report is made possible through the research conducted by Risk Based Security. It is designed to provide an executive level summary of the key findings from RBS’ analysis of aggregated vulnerabilities disclosed in 2017. Contact Risk Based Security for any specific analysis of the 2017 vulnerabilities of specific interest to your organization.
You can get your copy of the 2017 Q3 2017 VulnDB QuickView Report here.
About Risk Based Security
Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner. In addition, our YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.
VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications.
A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.
Cyber Risk Analytics (CRA) provides actionable threat intelligence about organizations that have had a data breach or leaked credentials. This enables organizations to reduce exposure to the threats most likely to impact them and their vendor base. In addition, our PreBreach vendor risk rating, the result of a deep-view into the metrics driving cyber exposures, are used to better understand the digital hygiene of an organization and the likelihood of a future data breach. The integration of PreBreach ratings into security processes, vendor management programs, cyber insurance processes and risk management tools allows organizations to avoid costly risk assessments, while enabling businesses to understand its risk posture, act quickly and appropriately to proactively protect its most critical information assets.
YourCISO provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal. YourCISO provides organization ready access to a senior executives and highly skilled technical security experts with a proven track record, matched specifically to your needs. The YourCISO service is designed to be an affordable long term solution for addressing information security risks. YourCISO brings together all the elements an organization needs to develop, document and manage a comprehensive information security program.
For more information, please visit: