“We would presume financial services would address flaws and potential doorways to data breaches promptly as it’s a highly regulated industry.”
Seven out of every ten open vulnerabilities observed by customers belongs to just three vendors, Oracle, Microsoft and Adobe.
These are the findings of cyber security enterprise Kenna Security in their new report Prioritization to Prediction, which explores how enterprises are dealing with open vulnerabilities.
In their report Kenna found that Oracle accounts for 34 percent of the open vulnerabilities that customers have observed, while Microsoft and Adobe both stand at 17 percent. Kenna is quick to point out that the fact these companies are in the top three is not surprising given their extensive foothold within the market.
They also found that 40 percent of vulnerabilities discovered in enterprise networks are still, as of today, not patched. While over 75 percent of common vulnerabilities and exposures (CVE) are left open a year after they have been published. While this can often be explained by the minor nature of some of these flaws, Kenna note that many CVE’s have not been given a risk score.
Kenna Security state that a staggering 544 million exploitable vulnerabilities have been discovered, but this only equates to 5 percent of enterprises vulnerabilities.
Ed Bellis CTO at Kenna Security commented in an emailed statement that: “We’ve found that remediating the riskiest vulnerabilities is within reach for many organizations. Despite recent high-profile data breaches, our findings show that enterprises can and should delay efforts to remediate a majority of vulnerabilities, which often number in the millions.”
“Most vulnerabilities pose little to no danger of being exploited. That means companies can prioritize their resources to tackle the five percent of threats that pose the greatest risk.”
Banking Apps Also at Risk From Open Vulnerabilities
While the research from Kenna Security shows how many vulnerabilities are exploitable, a similar report from application security enterprise Veracode found that 67 percent of applications used by banks are at risk of leaking information.
Veracode in their State Of Software Security report found that over two-thirds of banking applications are at risk of threat actors exploiting them to reveal sensitive data that could be used to further exploit the application or its users.
Paul Farrington, Director of EMEA and APJ at Veracode commented in an emailed statement that: “Since financial institutions and banks hold highly valuable information and critical assets, they will continue to be a target of cybercriminals and malicious hacking,”
“Our data shows the financial services sector scanning a huge volume of applications and finding flaws that need fixing. While that is encouraging, the next frontier is achieving greater speed in fixing those flaws because speed matters. The speed at which organisations fix flaws they discover in their code directly mirrors the level of risk incurred by applications. The sector should consider all dimensions of risk to prioritise which flaws to fix first.”
It has to be noted that both Veracode and Kenna Security worked in collaboration with the Cyentia Institute, a cybersecurity research organisation, to produce both reports.