“If a security program bases vulnerability prioritization solely on CVSS scores, it could waste resources patching a vulnerable asset protected by layers upon layers of defense–in–depth security controls”
A string of hugely high profile security vulnerabilities in July across widely used software from F5 Networks, Microsoft, Oracle, and SAP cast a fresh light on the challenges CISOs face in keeping enterprises defended.
Now a new report from California-based Skybox Security — a specialist in attack surface visibility — drives home the scale of the challenge, with the finding that there have been 9,799 unique vulnerability reports in the first half of 2020 alone; setting the world on track to see a record 20,000 vulnerabilities in 2020.
The first half volume of software security vulnerability reports is a 34% increase on last year’s 7,318. It is, arguably, good news, reflecting the increased effort being put into vulnerability research by vendors and third parties. (Android, OpenShift, and Windows are among those to have seen the greatest rise in reported vulns).
New on the List…
Of the five new products on the list above of, three are business apps (IBM API Connect, Red Hat OpenShift, Oracle E–Business Suite). The other two — Edge Chromium and iPad OS — are commonly deployed in workstation, domestic and commercial environments, emerging from “non-existence” to become what Skybox describes as “patch-hungry weak points” that demand admin attention.
Critical–severity vulnerabilities make up 15 percent of all new reports, Skybox notes.
And while the blockbuster bugs — like the string of those in July scoring a maximum 10.0 on the CVSS framework (a way of assessing the characteristics and severity of software vulnerabilities) — get much of the attention, including for remediation, a generic approach to prioritisation can be risky, the security firm notes.
“Although organizations are naturally inclined to prioritize the remediation of critical– and high–severity vulnerabilities… this generic approach to prioritization could allow attackers to take advantage of any exposed medium vulnerabilities.”
“Criminals know that medium–severity flaws can sit unpatched within an organization’s systems for a long period; depending on where these flaws exist, they could give an attacker access to a critical asset or enable lateral movement.”
Security programmes need to have established processes to “contextualize ulnerabilities
based on exposure, exploitability and other factors to keep remediation focused on critical risks”, Skybox emphasises: “If a security program bases vulnerability prioritization solely on CVSS scores, it could waste resources patching a vulnerable
asset protected by layers upon layers of defense–in–depth security controls.”