Report: Software Vulnerabilities Increased 30 Percent in 2017

存储架构 2018-02-21 阅读原文

The number of software vulnerabilities recorded last year grew by 31 percent compared to 2016 and one-third of them have public exploits, according to a new report.

Vulnerability intelligence firm Risk Based Security, which maintains its own vulnerability database called VulnDB, recorded a total of 20,832 security flaws last year. Around 7,900 of those flaws do not have Common Vulnerabilities and Exposures (CVE) IDs and were recorded in the U.S. government’s National Vulnerability Database (NVD).

Recent Articles By Author

The CVE maintainers have been repeatedly criticized in the past for not assigning CVEs in a timely manner—delays being in the order of months—and for not having a wide enough scope for vulnerability inclusion. Even among the assigned CVE IDs, there are many that still have “reserved” status and no actual details about the flaws they cover, despite such information being released publicly in other places.

This discrepancy in coverage between vulnerability databases means that security scanners and other products that rely solely on CVE for vulnerability identification and information are likely to miss a large number of security issues on corporate networks.

“By the numbers, despite CVE/NVD making efforts to address coverage issues after industry and Congressional pressure, 2017 shows that they are actually falling further behind,” Risk Based Security said in its report . “Along with the drop in quality of CVE entries, this firmly demonstrates that CVE/NVD is no longer ‘good enough’ for your organization’s vulnerability management.”

The situation is only getting worse as the vulnerabilities missed by CVE pile up year after year. RBS’ VulnDB now contains more than 57,000 publicly disclosed vulnerabilities that are not present in CVE and NVD, and many of these missing flaws are not in obscure products, either.

“They span from companies such as Google, maker of the Chrome browser, Chrome OS, and several third-party libraries that are integrated into significant projects, to mid-range companies providing software to organizations of all sizes such as Trend Micro, SAP, and Zoho,” Risk Based Security said.

Returning to the 20,832 recorded last year, around 40 percent of them were rated as High or Critical in terms of severity—between 7.0 and 10.0 on the Common Vulnerability Scoring System (CVSS). More than 17 percent were rated critical.

The top 10 vendors with vulnerabilities rated between 9.0 and 10.0 are Google, SUSE, Canonical, Red Hat, SGP Technologies, Adobe Systems, Mozilla, Samsung, Oracle and Xerox. Over half of all vulnerabilities reported in 2017 were in products from major vendors.

The disclosure of 1 in 5 vulnerabilities (18.6 percent) was uncoordinated, meaning they were made public without notifying the vendor in advance. In addition, 39.5 percent of all vulnerabilities had public exploits or sufficient level of detail available to allow the creation of functioning exploits.

Almost a quarter of all reported flaws have no patch or other known solutions available. This suggests that while patching is important, it must be combined with other layers of protection.

The top reason for vulnerabilities in 2017 was the insufficient or improper validation of input. This is the root cause for entire classes of vulnerabilities such as buffer overflows, cross-site script, SQL injection or command injection, and was the cause of two-thirds of flaws reported in 2017.

Related Stories

“Having a mature SDL [software development lifecycle] that includes secure coding practices can iron out a lot of such issues and significantly reduce the threat from attackers,” the RBS researchers said.

More than half of all vulnerabilities were found in web applications, with XSS accounting for 36 percent of these and SQL injection accounting for 19 percent. This is not necessarily surprising, given that the advances in web standards and browsers’ capabilities have led to more and more software programs being engineered as web applications.

Security Bloggers Network

责编内容by:Security Bloggers Network阅读原文】。感谢您的支持!


腾讯云“开发者实验室”与“DCDB”产品揽获工信部信通院两大年度奖项... 欢迎大家前往 腾讯云社区 ,获取更多腾讯海量技术实践干货哦~ 11月17日,由高效运维社区主办的GOPS全球运维大会暨第二届中国运维行业年度盛典隆重召开...
yourls YOURLS是Your Own URL Shortener,是一个非常强大的短链接平台。 官网地址: ...
SSMS Activity Monitor (Day 31) SSMS provides an Activity Monitor, a process that displays various information a...
Cache Aside Pattern(缓存模式)解析 在《 究竟先操作缓存,还是数据库? 》,有同学在评论提出,相关方案违背了“Cache Aside Pattern”的原则,故今天聊一聊Cache Asi...
IPCHAIN Database Aims to Revolutionise the Protect... Google+ Pinterest WhatsApp IPCHAIN D...