[BreachExchange] One-Third of Security Vulnerabilities Remain Unpatched

[Destry Winant]

https://www.natlawreview.com/article/one-third-security-vulnerabilities-remain-unpatched

Although the number of security vulnerabilities reported in the first
half of 2019 have reported dropped a bit from last year, a new report
by Risk Based Security states that 34 percent of the 11,092
vulnerabilities identified have not been patched to date.

The key findings of the report include the following:

Web-related vulnerabilities accounted for 54.5 percent of those vulnerabilities.
34 percent have public exploits.
34 percent do not have a documented solution.
53 percent can be exploited remotely.
8 percent were classified as SCADA vulnerabilities.
5 percent were classified as impacting security software.
7 percent received CVSSv2 scores of 9.0+.
Five major vendors accounted for 24.1 percent of 2019 vulnerabilities so far.

The report also notes that remote vulnerabilities, those that happen
over a network by an attacker that did not previously have access to a
system accounts for the highest vulnerability experienced by companies
in the first half of 2019. This is done through an SQL injection
attack and according to Risk Based Security, the way to combat it is
through sanitizing input. Another recommendation in the report is to
use a vulnerability scanning tool that can look at the entire network
and all devices connected to it since many organizations are unaware
of all of the devices connected to the network. If a company is
scanning and patching, more than one half of the reported
vulnerabilities in the first half of this year could have been
resolved.