Vulnerability Disclosures in 2018 So Far Outpacing Previous Years'
Nearly 17% of 10,644 vulnerabilities disclosed so far this year have been critical, according to new report from Risk Based Security.
There appears to be little relief in sight for organizations hoping for some respite from patching. A new report from Risk Based Security released today reveals that the number of vulnerabilities discovered in software products shows no signs of abating.
Between January 1 and June 30 of this year, a total of 10,644 vulnerabilities were published compared to 9,690 in the same period in 2017. The trend so far this year suggests that the total number of disclosed vulnerabilities in 2018 will comfortably exceed the 20,832 vulnerabilities that Risk Based Security published during 2017 — which itself represented a 31% increase over 2016.
About 17% of the reported flaws this year were deemed critical and had a severity rating of between 9.0 and 10.0 on the CVSS rating scale. That number is smaller than the 21.1% of flaws overall that garnered the same rating in Risk Based Security's report for the first half of 2017.
Somewhat expectedly a plurality of 2018 vulnerabilities – 46.3% - were Web-related flaws, and half of all reported vulns were remotely exploitable. Nearly one-third of the vulnerabilities so far this year in Risk Based Security's database have public exploits, but 73 have a documented solution.
A majority of the vulnerabilities are based on processing user or attacker-supplied input, and the software not properly-sanitizing that input, says Brian Martin, vice president of vulnerability intelligence for Risk Based Security. "We classify them as input manipulation issues that impact the integrity of the software," he notes.
Not All in the CVE & NVD
Significantly, Risk Based Security's vulnerability database contained more than 3,275 vulnerabilities that were not published in MITRE's CVE and the National Vulnerability Database (NVD) in the first half of 2018. Of these, more than 23% had a CVSS score between 9.0 and 10.0.
In other words, organizations relying purely on the CVS/NVD vulnerability data would likely not have been aware of more than 750 other critical vulnerabilities that were published elsewhere.
"The biggest takeaway is that the number of vulnerabilities being disclosed continues to rise, and will continue to do so for the foreseeable future," Martin says.
More importantly, the data shows that organizations cannot rely solely on the CVE database for their vulnerability data, he says.
His firm uses over 2,000 sources for its vulnerability data including mail lists such as Bugtraq and Full Disclosure, exploit websites such as ExploitDB and Packetstorm, and vendor resources such as customer forums. Other sources include formal advisories and knowledge base articles, and developer resources such as changelog, bug-tracking systems, and code commits, Martin says.
Risk Based Systems typically aggregates and processes newly disclosed vulnerabilities in less than 24 hours, depending on the disclosure and if additional analysis is needed. For some security vulnerabilities, the vendor discloses at roughly the same time as CVE and for others, it is weeks and even months, ahead of them, he notes.
Not So Fast
While Risk Based Security's statistics might suggest that software is becoming increasingly buggy, the reality appears a little more nuanced. According to Martin, there are likely many reasons why more flaws are being discovered in software products these days despite the heightened awareness and attention being paid to application security.
Among them is the fact that there are a lot more security researchers looking for and reporting security vulnerabilities these days compared to a few years ago. Tools for finding security vulnerabilities have improved as well and have become faster and more reliable than before, too.
And organizations that monitor and aggregate vulnerabilities are also improving their processes and software vendors themselves have become better at disclosing vulnerabilities reported to them, Martin notes.
- Healthcare Business Development Manager
- Up to £60,000 Base + UNCAPPED Earnings
Healthcare Business Development Manager We are currently working with a multi-vendor IT solutions provider who are looking for a Business Development Manager who will be responsible for selling into the Healthcare Industry in a new business focussed position. The Healthcare Business Development Manager will have Current/Recent experience working for an IT managed services business/solutions provider. Experience delivering £150,000+ GP a year Current/Recent experience winning new healthcare accounts (all accounts won are kept) Flexible working is provided and also uncapped earnings. Apply for more information or call Peter Georgiou on 02086634030. Unfortunately, our client are unable to provide sponsorship so candidates must be UK based (commutable to London). Ref PG7577
- Cyber Incident Response specialist
- Up to £75,000 Base
Cyber Incident Response specialist is needed to join a global consultancy whose cyber business unit are continuing to their investment in the growth of their team. The Cyber Incident Response specialist role is client-facing that will join an award-winning team that deliver varied, interesting and often challenging work to a wide range of prestigious clients. The Cyber Senior Incident Response MUST have current experience taking a client through the complete IR / triage process and have a blend of both technical and commercial (identifying and developing new business opportunities within a client) Proactive Incident response, forensics and Ediscovery experience is a MUST. An individual must be London commutable and happy to travel, often internationally. Key attributes should also include; stakeholder engagement, mentoring of team members, a collaborative working style. Technical experience must include; demonstrable experience within an cyber incident response, Forensic, cyber etc. Additional certifications could / should include GIAC certified (Intrusion analyst, incident handler, forensic handler) Any of the following are very desirable also CREST Certified Network Intrusion Analyst (CCNIA) CREST Certified Host Intrusion Analyst (CCHIA) CREST Certified Malware Reverse Engineer (CCMRE) CREST Practitioner Intrusion Analyst (CPIA) Career development and the opportunity to influence, apply today for more information or call Chris Holt on 07884666351 or 02086634030 or email firstname.lastname@example.org Unfortunately, our client are unable to provide sponsorship for this opportunity. Candidates must be UK based. Ref: CH7578
- Sales Engineer (Telecoms, Ethernet, SDH, MPLS, IP)
- Up to €75,000 + Commission
Sales Engineer / Presales Consultant is needed for this Global Tier 1 carrier. You will be working with Enterprise customers helping to design solutions that solve your their business needs. You will be responsible for working alongside sales providing presales technical consultancy around my client's solutions base. You will be responsible for providing support for new business opportunities in terms of responding to RFIs & RFPs, understanding customer network requirements, high-level network architecture & design (including supplier selection on a global basis) and technical handover to network implementation teams. This is a great opportunity to join a global player who are growing their France based teams. You will require a successful track record in the telecommunications arena ideally from a global tier 1 ISP or network provider, with a demonstrable track record in designing complex enterprise solutions. A Sales Engineer needs to be technically astute and has had experience in the design, presentation, and implementation of Wide Area Networks (WAN). They need to understand a range of Layer 1, 2, and 3 technologies (Ethernet, SDH, MPLS, IP, etc) and build a solution based on the best technology to meet a customer’s requirements. In addition, they should have an understanding and experience in supplementary telecommunications services such as VoIP, Video Conferencing, Cisco and Riverbed hardware, and Security If you have any questions about this role, give us a call on 0044208 663 4030 or contact/send your CV to email@example.com Ref: RA7275
- Partner Manager (Network and UCC Services)
- Up to €100,000 plus €60,000 OTE, car allowance and benefits
We are looking for an experienced Partner Manager / Channel Manager to work for a global service provider to sell their Global SIP and Network Services to Enterprises and corporates through the partner market. This is a hunter role, and looking for an experienced salesperson who has knowledge of selling to and through the SI, Cisco and Microsoft Resellers. You will be responsible for Own and formulate a Sales and execution plan to get to quarterly targets Generate Leads from the partners Work with the Partner salesperson to help close deals. Acquire new partners and Deliver Quarterly numbers through the partners Work with Partner Marketing to create and run joint Partner plans/events to drive sales You will need to have experience in selling at least one of these services, global SIP, UCC and SD-WAN into and through the channel of, European Sis, Cisco or Microsoft resellers. Hunters who can identify key decision-makers in the targeted accounts Should be credible for partner to trust the person with leads and opportunities Drive to work through leads to closure along with the partner salesperson Ref: RA7277