Patching security flaws is a challenging and seemingly never-ending chore for IT and security professionals. And that chore gets even more difficult each year as the number of new security vulnerabilities continues to rise. Based on the latest stats from the National Institute of Standards and Technology Vulnerability Database, the volume of security flaws has hit a record for the fifth straight year in a row.
SEE: Patch management policy (TechRepublic Premium)
As of Dec. 9, 2021, the number of vulnerabilities found in production code for the year is 18,400. Breaking down that statistic for 2021 so far, NIST recorded 2,966 low-risk vulnerabilities, 11,777 medium-risk ones, and 3,657 of a high-risk nature.
For 2020, the number of total vulnerabilities was 18,351. Some 2,766 were labeled low risk, 11,204 ranked as medium risk, and 4,381 categorized as high risk. For the past five years, each year has topped the previous one with 17,306 total flaws recorded in 2019, 16,510 in 2018, and 14,645 in 2017.
Why do the number of vulnerabilities keep rising? In a blog post published Wednesday, Pravin Madhani, CEO and co-founder of security provider K2 Cyber Security offered some thoughts.
For this year, the coronavirus pandemic continued to prompt many organizations to aggressively push through on digital transformation and cloud adoption, thereby potentially rushing their applications into production, Madhani said. That means the programming code may not have gone through as many Quality Assurance test cycles. It also means that many developers could have tapped into more third-party, legacy and open source code, another possible risk factor for security flaws. In the end, organizations may have improved their coding but they’ve fallen behind on testing, according to Madhani.
“This definitely jives with what we’ve seen,” said Casey Ellis, founder and CTO at Bugcrowd. “Most simply, technology itself is accelerating, and vulnerabilities are inherent to software development. It’s a probability game, and the more software that is produced, the more vulnerabilities will exist. In terms of the spread, from a discovery standpoint, lower-impact issues tend to be easier to introduce, easier to find and thus reported more frequently.”
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
One significant trend lies in the way the number of vulnerabilities more than doubled from 2016 to 2017. In 2016, the total was 6,447. In 2017, that number shot up to 14,645 and has risen steadily ever since. Why such a surge from one year to the next?
Before 2017, the internet was mainly a consumer business, according to Tal Morgenstern, co-founder and chief product officer at Vulcan Cyber. But as more B2B companies started to jump online, attackers found a lucrative new target. At the same time, there was an increase in web-related vulnerabilities, such as XSS, SQL injection, DOS and CSRF, as compared with previous years. In 2017, the number of PHP-related vulnerabilities and Google Chrome flaws increased by 270 from the previous year, while Apache vulnerabilities more than doubled.
One bright spot in the latest NIST data is the relatively low number of high-risk vulnerabilities. The 3,657 labeled high risk for 2021 shows a downward trend from 2020 and the previous few years. To explain this dip, Madhani said that the lower number is likely due to better coding practices by developers. In adopting a “Shift left” strategy in which testing is performed earlier in the coding cycle, developers have managed to place a greater emphasis on security.
Still, the overall results remain alarming and point out the challenges that organizations face trying to keep track of all their vulnerable applications and other assets.
“It has become nearly impossible for organizations to create an accurate inventory of all of the IT assets connected to their enterprise,” said Sevco Security co-founder Greg Fitzgerald. “The primary reason for this is that most enterprises have IT asset inventories that do not reflect their entire attack surface, which in modern enterprises extends beyond the network to include cloud, personal devices, remote workers as well as all things on-premise. Until organizations can start working from a comprehensive and accurate IT asset inventory, vulnerabilities will maintain their value to hackers and present real risks to enterprises.”