On Pace To Break 20k Mark For Disclosed Vulnerabilities
November 19, 2018 • RBS
The number of vulnerabilities through Q3 of 2018, though significant and on track to be over 20,000, is down from the same time last year and will likely fall short of the record-breaking 2017 year end numbers of more than 22,000 disclosed vulnerabilities, according to Risk Based Security.
Today, Risk Based Security announced the public release of its 2018 Q3 VulnDB QuickView report that shows there have been 16,172 vulnerabilities disclosed through October 29th. This is a 7% decrease from the high record reported last year at this time. The 16,172 vulnerabilities cataloged through Q3 2018 by Risk Based Security’s research team eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by over 4,800. It’s also worth noting that NVD is still significantly behind in vulnerability scoring and creating the automation component.
Key Findings for Q3 2018
- There were 16,172 vulnerabilities published by Risk Based Security’s VulnDB team through the end of Q3 2018.
- The period up to the end of Q3 2018 showed a 7% decrease over the same period in 2017, which set the all-time high record for number of vulnerabilities.
- Risk Based Security’s VulnDB published 4,823 more vulnerabilities than CVE/NVD through the end of Q3 2018.
- CVSSv2 scores of 7.0+ accounted for 34.9% of all 2018’s published vulnerabilities through Q3.
- Through Q3, 46% of the vulnerabilities not published by NVD/CVE have a CVSSv2 score between 7.0 and 10.
- Coordinated disclosure accounted for 48.3% of 2018 vulnerabilities through Q3. 8.7% of coordinated disclosures were through bug bounty programs.
- Web-related vulnerabilities accounted for 46.0% of 2018 vulnerabilities so far this year.
- Of the vulnerabilities published through the end of Q3 2018, 31.2% have public exploits. 48.4% of 2018 vulnerabilities can be exploited remotely.
- 66.1% of vulnerabilities published through Q3 2018 have a documented solution.
- 3.6% of the vulnerabilities published up to the end of Q3 were classified as SCADA vulnerabilities.
- 3.4% of 2018 vulnerabilities through Q3 were classified as impacting security software.
The newly released 2018 Q3 report from Risk Based Security shows that vulnerabilities with a CVSSv2 score of 9.0+, often referred to as ‘critical’, accounted for 15.4% of all published vulnerabilities through Q3. The significant percentage of critical severity vulnerabilities continues to underline the vigilance organizations must maintain and the importance of implementing a comprehensive software vulnerability assessment and management plan.
Risk Based Security’s VulnDB published 4,823 more vulnerabilities than CVE/NVD through the end of Q3 2018. “It’s important to understand the limitations of CVE/NVD-based solutions, and the risk that organizations face by not incorporating the most comprehensive vulnerability intelligence available in their risk management solutions. Not only do they cover a subset of reported vulnerabilities, but analysis shows that CVE/NVD-based solutions are about 7-12 weeks behind. The serious risk faced by an organization not warned about a new vulnerability in a timely manner – if at all – is obvious” said Carsten Eiram, Chief Research Officer for Risk Based Security.
“CVE/NVD-based solutions are also inaccurate and lacking a lot of relevant information such as the detailed metadata tracked in VulnDB including the lifecycle of a vulnerability. The information available about any given vulnerability is often changing, so it’s important to track these changes, for example: the release of patches or upgraded versions, changes to impact based on new findings, and exploit availability. CVE/NVD-based solutions are ‘fire and forget’. They rarely update vulnerability information once published.” added Eiram.
Of all the vulnerabilities disclosed through Q3 2018, 67.3% are due to insufficient or improper input validation. Though many vulnerabilities fall under this umbrella, it’s clear that vendors still struggle to carefully validate untrusted input from users. Having a mature Software Development Lifecycle (SDL) and some form of auditing can help iron out many of these issues and significantly reduce the threat from attackers.
A large number of the vulnerabilities reported in 2018 have either updated versions or patches available. However, 24.9% of the reported vulnerabilities currently have no known solution which is a reminder that, while patching is very important, it cannot be relied on exclusively as a remedy. In addition to patch management, modern vulnerability management programs should include the use of detailed information on the threats faced by organizations to better implement broader mitigation strategies including compensating security controls.
“The importance of comprehensive vulnerability coverage is clear, but even more critical is having timely intelligence which cannot be understated. We continue to see vulnerabilities that are being actively exploited in the wild well before most organizations are aware of the issues. It is an unfortunate situation to find yourself in a position to learn about a vulnerability after the damage is done.” said Brian Martin, VP of Vulnerability Intelligence for Risk Based Security.
About the VulnDB QuickView Report
The VulnDB QuickView report is possible through the research conducted by Risk Based Security. It is designed to provide an executive level summary of the key findings from RBS’ aggregation of vulnerabilities disclosed in 2018. Contact Risk Based Security for a specific analysis of the 2018 vulnerabilities of critical relevance to your organization.
About Risk Based Security
Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner. In addition, our YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.
VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.
Cyber Risk Analytics (CRA) provides actionable threat intelligence about organizations that have had a data breach or leaked credentials. This enables organizations to reduce exposure to the threats most likely to impact them and their vendor base. In addition, our PreBreach vendor risk rating, the result of a deep-view into the metrics driving cyber exposures, are used to better understand the digital hygiene of an organization and the likelihood of a future data breach. The integration of PreBreach ratings into security processes, vendor management programs, cyber insurance processes and risk management tools allows organizations to avoid costly risk assessments, while enabling businesses to understand its risk posture, act quickly and appropriately to proactively protect its most critical information assets.
YourCISO provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal. YourCISO provides organization ready access to a senior executives and highly skilled technical security experts with a proven track record, matched specifically to your needs. The YourCISO service is designed to be an affordable long term solution for addressing information security risks. YourCISO brings together all the elements an organization needs to develop, document and manage a comprehensive information security program.