Security teams were under siege last year, according to research analyzing 2020 NIST data on common vulnerabilities and exposures (CVEs) that found more security flaws – 18,103 – were disclosed in 2020 than in any other year to date.
To understand the significance, there were far more “critical” and “high severity” vulnerabilities in 2020 (10,342) than the total number of all vulnerabilities recorded in 2010 (4,639), according to Redscan, which ran the analysis of NIST’s National Vulnerability Database (NVD). And, nearly 4,000 vulnerabilities disclosed in 2020 can be described as “worst of the worst” – meeting the worst criteria in all NVD filter categories
“The trend lines are clear,” said Yaniv Bar-Dayan, co-founder and CEO of Vulcan Cyber. “Vulnerability management is the biggest game of whack-a-mole facing the IT security profession today. Businesses will lose the game unless they have a strategy to address the crush before it is too late.”
Another trend security pros need to address: Low complexity CVEs are on the rise, representing 63 percent of vulnerabilities disclosed in 2020. And vulnerabilities that require no user interaction to exploit are also growing in number, representing 68 percent of all CVEs recorded in 2020.
Shawn Wallace, vice president of Energy at IronNet, agreed that the high number of low complexity vulnerabilities has become an increasing concern for security teams. He said once they get into the wild, they can easily be exploited by unsophisticated attackers resulting in massive attacks.
“No security team can keep up with an average of 50 new vulnerabilities posted each day and you won't be able to cover all the ones that are already out there,” Wallace said. “You have to move to a behavioral-based detection platform so you can see the actions of the adversary and are not solely dependent on CVEs, patching or indicators of compromise for your defense.”
Companies must also increase scrutiny of the practices employed by software vendors, added Charles Herring, co-founder and CTO of WitFoo. Companies must evaluate how their vendors test custom code and also how they use third-party libraries in their products. Until vendors properly prioritize sustainable, secure DevOps, companies must maintain a rigorous cycle of vulnerability detection and mitigation, he said.
“Until we see purchasing organizations hold software vendors accountable for how they source and test source code, the discouraging trends outlined in the NIST NVD report will continue,” Herring contended. “Vendors must take responsibility for all code they bring into their product and establish sustainable hygiene on testing function as well as detecting vulnerabilities early. Until that happens, organizations must own responsibility for the software they use and perform their own vulnerability and penetration testing to uncover the vulnerabilities delivered by their vendors.”