More Than 22,000 Vulnerabilities Disclosed In 2018
February 27, 2019 • RBS
Risk Based Security today announced the publication of its 2018 Year End Vulnerability QuickView Report, showing over 22,000 new vulnerabilities were disclosed during the year. While approximately 33% of published vulnerabilities received a CVSSv2 score of 7 or above, the number of vulnerabilities scoring 9 or above declined for the third year in a row.
|IN THE NEWS|
|Forbes||Are Data Hacks Pushing People Towards Secure Blockchain Identity Systems?|
|TechRepublic||The year 2018 was the second most active year on record for data breaches, report says|
The report confirms that CVE / National Vulnerability Database (NVD) continues to face challenges staying up-to-date with the relentless pace of new disclosures. The VulnDB research team at Risk Based Security (RBS) catalogued 6,780 more vulnerabilities than CVE/NVD. This is notable as it represents nearly 31% of all the published vulnerabilities in 2018.
RBS VP of Vulnerability Intelligence, Brian Martin advises, “Companies can’t afford to miss almost a third of vulnerabilities each year. It is time to move from a ‘good enough’ mentality and toward the paradigm of ‘Better Data Matters’ that Risk Based Security and its VulnDB research is built upon. Missing 31% is unacceptable in today’s cyber landscape, especially when tools are available to prevent it.”
Of the 6,780 vulnerabilities not published by the CVE/NVD, 45.5% have a CVSSv2 score between 7.0 – 10.0, and 13.6% scored between 9.0 – 10. This once again calls attention to the importance of having a comprehensive view into vulnerability activity. Martin added, “No organization can afford to ignore a single vulnerability ranked between a 7 and 10, let alone over 3,000 of them!” These vulnerabilities cover a wide variety of software including web browsers, enterprise tools, and third-party libraries that impact hundreds or thousands of software packages.
The most significant vulnerability attack type for 2018 is Input Manipulation. “68.7% of the disclosed vulnerabilities are due to insufficient or improper input validation,” expounds Martin, “While a lot of vulnerabilities fall under this umbrella, including cross-site scripting, SQL injection, shell command injection, and buffer overflows, it underlines that software developers still struggle to carefully validate untrusted input. Having a mature SDL that includes secure coding practices can iron out many such issues and significantly reduce the threat from attackers.”
The Vulnerability Quick view report also shows that 32.7% of 2018’s vulnerabilities have public exploits and 50.5% can be exploited remotely, meaning that few of the reported vulnerabilities require any type of physical proximity to a system or a device to be exploited. Another revealing finding, 27.1% of vulnerabilities had no known solution, which unfortunately is up 5% from 2017 based on current data. And for those following the hot topic of bug bounty programs, almost 8% of vulnerabilities were coordinated through bug bounty programs – a solid increase from the 5.8% last year.
Notably, SCADA vulnerabilities are on the rise. 3.5% of 2018 vulnerabilities were classified as SCADA vulnerabilities, double that of last year. The report notes that this will be an area to keep an eye on as more SCADA systems become internet accessible for convenience without full realization to safety risk and ramifications.
About the Vulnerability QuickView Report
Because RBS believes that the ability to properly apply vulnerability data is vital to business decision making processes, the VulnDB QuickView report is created through extensive research conducted by Risk Based Security’s VulnDB team. It is designed to provide an executive level summary of the key findings from RBS’ analysis of vulnerabilities disclosed in 2018. Contact Risk Based Security for any specific analysis of the 2018 vulnerabilities.
About Risk Based Security
Risk Based Security (RBS) provides detailed information and analysis on Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our products, VulnDB and Cyber Risk Analytics (CRA), provide organizations access to the most comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API, and email alerting to assist organizations in taking the right actions in a timely manner. In addition, our YourCISO offering provides organizations with on-demand access to high quality security and information risk management resources in one, easy to use web portal.
VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy integration into GRC tools and ticketing systems. VulnDB allows organizations to search on and be alerted to the latest vulnerabilities, both in end-user software and the third-party libraries or dependencies that help build applications. A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products, and how each contributes to the organization’s risk-profile and cost of ownership.