[BreachExchange] Record Levels of Software Bugs Plague Short-Staffed IT Teams in 2020

[Destry Winant]

https://threatpost.com/record-levels-software-bugs-it-teams-2020/162095/

As just one symptom, 83 percent of the Top 30 U.S. retailers have
vulnerabilities which pose an “imminent” cyber-threat, including
Amazon, Costco, Kroger and Walmart.

2020 is shaping up to be a banner year for software vulnerabilities,
leaving security professionals drowning in a veritable sea of
patching, reporting and looming attacks, many of which they can’t even
see.

A trio of recent reports tracking software vulnerabilities over the
past year underscore the challenges of patch management and keeping
attacks at bay.

“Based on vulnerability data, the state of software security remains
pretty dismal,” Brian Martin, vice president of vulnerability
intelligence with Risk Based Security (RBS), told Threatpost.

Click to register.

The year didn’t start out that way. The VulnDB team at RBS saw a
massive drop in disclosures during the first three quarters of 2020.
Then COVID-19 hit, creating a juicy opportunity for malicious actors
to exploit the chaos.

“At the end of Q1 this year, we saw what appeared to be a sharp
decline in vulnerability disclosures as compared to 2019, dropping by
19.2 percent,” Martin wrote in the third-quarter report.
“Statistically that is huge. However, as 2020 continues, we are
starting to see just how large an impact the pandemic has had on
vulnerability disclosures.”

Software Vuln Perfect Storm

Now, RBS reported that the number of vulnerabilities disclosed will
possibly exceed 2019’s numbers, but as the year comes to a close,
there’s still much uncertainty about the impact COVID will have into
2021.

“With the pandemic seeing a resurgence in most of the world even as we
enter the holiday season, it is difficult to predict the exact
influence COVID-19 will have on the vulnerability-disclosure
landscape,” the RBS report concluded.

Prior to the pandemic, IT teams were already under tremendous pressure
to keep up with patching due to what RBS has dubbed “vulnerability
Fujiwara events.” The term “Fujiwara,” according to RBS researchers,
describes the confluence of two hurricanes, which they liken to days
like Jan. 14, April 14 and July 14 this year, when 13 major vendors,
including Microsoft and Oracle, all released patches at the same time.
RBS said these three vulnerability Fujiwara events in 2020 put massive
stress on security teams.

Meanwhile some major vendors’ regular Patch Tuesday events are
starting to create a type of rolling Vulnerability Fujiwara Effect
year-round, RBS added, since the number of patches for each of them
have ramped up. With December’s Patch Tuesday, for instance,
Microsoft’s patch tally totals 1,250 for the year – well beyond 2019’s
840.

In fact, Microsoft and Oracle lead the Top 50 vendors in the number of
reported security vulnerabilities, according to the latest analysis
from Comparitech.

Security researchers looked at CVE details across the Top 50 software
vendors and found that since 1999, Microsoft is the hands-down leader
with 6,700 reported, followed by Oracle with 5,500 and IBM with 4,600.

“New software is being released at a faster rate than old software is
being deprecated or discontinued,” Comparitech’s Paul Bischoff told
Threatpost. “Given that, I think more software vulnerabilities are
inevitable. Most of those vulnerabilities are identified and patched
before they’re ever exploited in the wild, but more zero days are
inevitable as well. Zero days are a much bigger concern than
vulnerabilities in general.”

Online v. Desktop Software Vulnerabilities

The real growth area in software security flaws has been in
third-party online software, according to Cyberpion, which has
developed a tool to evaluate security holes in entire online
ecosystems. Their findings include the startling statistic that 83
percent of the Top 30 U.S. retailers have vulnerabilities which pose
an “imminent” cyber-threat, including Amazon, Costco, Kroger and
Walmart.

“Software developed for the desktop is fundamentally different than
software developed for online,” Cyberpion’s CRO Ran Nahmias told
Threatpost. “Desktop software code needs to be secured against a virus
for rewriting the code (and the attack occurs on one desktop at a
time). Online software has a strong dependency on the infrastructure
that hosts, operates and distributes it.

This creates a massive attack surface, including not just the code
itself, but the infrastructure behind it.

“These online infrastructures can get complex, and one
misconfiguration anywhere could lead to the code being compromised or
modified,” Nahmias said. “Additionally, because the software is
centrally located and then serves many customers, a single breach can
affect many companies and people (as opposed to the desktop software
being infected by a virus which would impact one user).”

What organizations really need to guard their systems appropriately is
well-trained professionals. Unfortunately, as Bischoff added, they are
in increasingly short supply.

“Aside from the increasing volume of software, the lack of qualified
cybersecurity staff contributes to the rise in software
vulnerabilities,” he said. “In almost every sector of the economy,
cybersecurity personnel are in high demand.”

Meanwhile, software bugs aren’t going anywhere.

“Despite more organizations taking secure development more seriously,
and despite more tools available to help find and eliminate
vulnerabilities, the amount of disclosed vulnerabilities suggest it
hasn’t tipped the scale yet,” Martin added. “We’re hopeful that as
more and more news of organizations being breached are taken
seriously, and organizations and developers better understand the
severity of vulnerable code, that they will make the extra effort to
ensure more auditing is done before releasing [software].”