[BreachExchange] On Pace To Break 20k Mark For Disclosed Vulnerabilities

[Destry Winant]

https://www.riskbasedsecurity.com/2018/11/on-pace-to-break-20k-mark-for-disclosed-vulnerabilities/

The number of vulnerabilities through Q3 of 2018, though significant and on
track to be over 20,000, is down from the same time last year and will
likely fall short of the record-breaking 2017 year end numbers of more than
22,000 disclosed vulnerabilities, according to Risk Based Security.

Today, Risk Based Security announced the public release of its 2018 Q3
VulnDB QuickView report that shows there have been 16,172 vulnerabilities
disclosed through October 29th. This is a 7% decrease from the high record
reported last year at this time. The 16,172 vulnerabilities cataloged
through Q3 2018 by Risk Based Security’s research team eclipsed the total
covered by the CVE and National Vulnerability Database (NVD) by over 4,800.
It’s also worth noting that NVD is still significantly behind in
vulnerability scoring and creating the automation component.

Key Findings for Q3 2018

- There were 16,172 vulnerabilities published by Risk Based Security’s
VulnDB team through the end of Q3 2018.
- The period up to the end of Q3 2018 showed a 7% decrease over the same
period in 2017, which set the all-time high record for number of
vulnerabilities.
- Risk Based Security’s VulnDB published 4,823 more vulnerabilities than
CVE/NVD through the end of Q3 2018.
- CVSSv2 scores of 7.0+ accounted for 34.9% of all 2018’s published
vulnerabilities through Q3.
- Through Q3, 46% of the vulnerabilities not published by NVD/CVE have a
CVSSv2 score between 7.0 and 10.
- Coordinated disclosure accounted for 48.3% of 2018 vulnerabilities
through Q3. 8.7% of coordinated disclosures were through bug bounty
programs.
- Web-related vulnerabilities accounted for 46.0% of 2018 vulnerabilities
so far this year.
- Of the vulnerabilities published through the end of Q3 2018, 31.2% have
public exploits. 48.4% of 2018 vulnerabilities can be exploited remotely.
- 66.1% of vulnerabilities published through Q3 2018 have a documented
solution.
- 3.6% of the vulnerabilities published up to the end of Q3 were classified
as SCADA vulnerabilities.
- 3.4% of 2018 vulnerabilities through Q3 were classified as impacting
security software.

The newly released 2018 Q3 report from Risk Based Security shows that
vulnerabilities with a CVSSv2 score of 9.0+, often referred to as
‘critical’, accounted for 15.4% of all published vulnerabilities through
Q3. The significant percentage of critical severity vulnerabilities
continues to underline the vigilance organizations must maintain and the
importance of implementing a comprehensive software vulnerability
assessment and management plan.

Risk Based Security’s VulnDB published 4,823 more vulnerabilities than
CVE/NVD through the end of Q3 2018. “It’s important to understand the
limitations of CVE/NVD-based solutions, and the risk that organizations
face by not incorporating the most comprehensive vulnerability intelligence
available in their risk management solutions. Not only do they cover a
subset of reported vulnerabilities, but analysis shows that CVE/NVD-based
solutions are about 7-12 weeks behind. The serious risk faced by an
organization not warned about a new vulnerability in a timely manner – if
at all – is obvious” said Carsten Eiram, Chief Research Officer for Risk
Based Security.

“CVE/NVD-based solutions are also inaccurate and lacking a lot of relevant
information such as the detailed metadata tracked in VulnDB including the
lifecycle of a vulnerability. The information available about any given
vulnerability is often changing, so it’s important to track these changes,
for example: the release of patches or upgraded versions, changes to impact
based on new findings, and exploit availability. CVE/NVD-based solutions
are ‘fire and forget’. They rarely update vulnerability information once
published.” added Eiram.

Of all the vulnerabilities disclosed through Q3 2018, 67.3% are due to
insufficient or improper input validation. Though many vulnerabilities fall
under this umbrella, it’s clear that vendors still struggle to carefully
validate untrusted input from users. Having a mature Software Development
Lifecycle (SDL) and some form of auditing can help iron out many of these
issues and significantly reduce the threat from attackers.

A large number of the vulnerabilities reported in 2018 have either updated
versions or patches available. However, 24.9% of the reported
vulnerabilities currently have no known solution which is a reminder that,
while patching is very important, it cannot be relied on exclusively as a
remedy. In addition to patch management, modern vulnerability management
programs should include the use of detailed information on the threats
faced by organizations to better implement broader mitigation strategies
including compensating security controls.

“The importance of comprehensive vulnerability coverage is clear, but even
more critical is having timely intelligence which cannot be understated. We
continue to see vulnerabilities that are being actively exploited in the
wild well before most organizations are aware of the issues. It is an
unfortunate situation to find yourself in a position to learn about a
vulnerability after the damage is done.” said Brian Martin, VP of
Vulnerability Intelligence for Risk Based Security.

About the VulnDB QuickView Report

The VulnDB QuickView report is possible through the research conducted by
Risk Based Security. It is designed to provide an executive level summary
of the key findings from RBS’ aggregation of vulnerabilities disclosed in
2018. Contact Risk Based Security for a specific analysis of the 2018
vulnerabilities of critical relevance to your organization.

Click here to get your copy of the 2018 Q3 VulnDB QuickView Report.
<https://pages.riskbasedsecurity.com/2018-q3-vulnerability-quickview-report>

About Risk Based Security

Risk Based Security (RBS) provides detailed information and analysis on
Data Breaches, Vendor Risk Ratings and Vulnerability Intelligence. Our
products, Cyber Risk Analytics (CRA) and VulnDB, provide organizations
access to the most comprehensive threat intelligence knowledge bases
available, including advanced search capabilities, access to raw data via
API, and email alerting to assist organizations in taking the right actions
in a timely manner. In addition, our YourCISO offering provides
organizations with on-demand access to high quality security and
information risk management resources in one, easy to use web portal.

VulnDB is the most comprehensive and timely vulnerability intelligence
available and provides actionable information about the latest in security
vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API for easy
integration into GRC tools and ticketing systems. VulnDB allows
organizations to search on and be alerted to the latest vulnerabilities,
both in end-user software and the third-party libraries or dependencies
that help build applications. A subscription to VulnDB provides
organizations with simple to understand ratings and metrics on their
vendors and products, and how each contributes to the organization’s
risk-profile and cost of ownership.

Cyber Risk Analytics (CRA) provides actionable threat intelligence about
organizations that have had a data breach or leaked credentials. This
enables organizations to reduce exposure to the threats most likely to
impact them and their vendor base. In addition, our PreBreach vendor risk
rating, the result of a deep-view into the metrics driving cyber exposures,
are used to better understand the digital hygiene of an organization and
the likelihood of a future data breach. The integration of PreBreach
ratings into security processes, vendor management programs, cyber
insurance processes and risk management tools allows organizations to avoid
costly risk assessments, while enabling businesses to understand its risk
posture, act quickly and appropriately to proactively protect its most
critical information assets.

YourCISO provides organizations with on-demand access to high quality
security and information risk management resources in one, easy to use web
portal.  YourCISO provides organization ready access to a senior executives
and highly skilled technical security experts with a proven track record,
matched specifically to your needs. The YourCISO service is designed to be
an affordable long term solution for addressing information security
risks.  YourCISO brings together all the elements an organization needs to
develop, document and manage a comprehensive information security program.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181119/32438f1c/attachment.html>