Cyber Risks and the Origins of the Vulnerability Flood

According to CVE Details, the number of vulnerabilities reported to date in 2022 (11.242) is on track to yet again bypass the total number of vulnerabilities reported in all of 2021 (20.168). If nothing dramatic changes, the list seems on track to at least match last year’s record of over 20K reported vulnerabilities, if not to top it.

In the current ecosphere, managing vulnerabilities has become more challenging owing to scale and diversity:

  • Scale – The sheer scale of enterprise software has grown tremendously. Whereas solutions in use by the average enterprise once numbered in the tens, today smaller enterprise-class vendors with niche solutions are taking the place of all-inclusive packages from large traditional vendors. Both the number of vendors and the number of solutions have grown dramatically.
  • Diversity – Companies are no longer bound to Windows or mega-vendors like IBM or Oracle. They’re adopting alternate operating systems, developing their own code, using open source code packages, third-party apps, and numerous infrastructure paradigms. This diversity is a positive development, but has led to more vulnerabilities being disclosed and greater exposure.

In this post, we drill down into where specifically the deluge of new vulnerabilities is coming from, what triggered the massive growth in reported vulnerabilities, and (most importantly) what we as security professionals should be doing about them.

 

Where are all these vulnerabilities coming from ?

Beyond the sheer growth of the digital realm, the number of reported vulnerabilities has been dramatically influenced by the adoption of agile development and DevOps methodologies. Why? Because today’s mission-critical software is continuously changing. Versions are brought to production in days or even hours as opposed to months. The push for hyper time-to-market translates into less inspection, less testing, and more vulnerabilities.

So There are More Vulnerabilities. So What?

Obviously, more vulnerabilities are a problem, or we wouldn’t be writing (and you wouldn’t be reading) this post.

Josh Zelonis, a Forrester Research analyst specializing in vulnerability management called handling the sheer number of vulnerabilities, “One of the big challenges that we have as security professionals.”

But why are vulnerabilities a particularly acute challenge at this point? Here are two critical reasons, for starters:

1. Cloud rules the market. 

When enterprise-class software assets and tools were primarily on-premise or in remote data centers with dedicated communications, things looked different. Exploitable vulnerabilities were tucked safely behind corporate firewalls and could be remediated at a comfortable pace – if they needed to be addressed at all. Today, most organizations are at least partially cloud-based. Many are completely on the cloud. This means that now, exploitable SaaS-based assets are exposed to anyone, anywhere. And, as we’ve seen in recent attacks exploiting a vulnerability in the open source enterprise  – hey, we all remember Log4J right – attackers are like sharks circling, ready to move in at the first scent of blood, often before the fish even knows it’s bleeding.

2. More software, more vulnerabilities. Which to fix first? 

With the growth in the number of vendors and multi-platform solutions in use in the modern enterprise, the number of vulnerabilities has skyrocketed. And it’s not always clear which vulnerabilities will have the most significant impact and are thus the most important to fix. With so many variables, prioritization needs to be based on the correctly-weighted fusion of technical severity, exploitability, and business impact.

3. Figuring out the right solution for each vulnerability

It’s not just the amount of vulnerabilities that has grown in the last few years. Today, there’s often a few different ways of remediating the same vulnerability. For example, there can be  major and minor version updates, configuration changes, signature updates, etc. It’s simply impractical to manually find and test all the different fixes for each vulnerability in order to determine the best fix for your organization.

The Bottom Line

As the sheer number of vulnerabilities has grown – for the reasons discussed above and more – the scope of their influence has expanded, too. Now, it’s not just CISOs who have to worry about vulnerabilities and patching. With new privacy regulations like GDPR already in place, board members and C-level executives are now responsible for ensuring processes are in place that minimize risk – including vulnerability management. This translates into real personal criminal and civil liability – beyond the potential for damage to brand equity and negative impact on revenues.

What can be done to handle this flood of vulnerabilities? Clearly, a new vulnerability management paradigm is long overdue !

Want to learn more on how to face this vulnerability, let’s get in contact !