Join today’s leading executives online at the Data Summit on March 9th. Register here.
According to a report by Risk Based Security, last year hit a record high of 28,695 vulnerabilities — which is simply too many for any organization to remediate within a year. This is the most important finding by far, since it fully displays the amount of risk that organizations and security teams face.
There was a major and sudden drop of 19.8% in disclosed vulnerabilities in Q1 of 2020. Out of all the external factors, COVID-19 was the most likely underlying cause, though nothing could be specifically attributed to the pandemic. Since then, while the total vulnerability count has steadily caught up over the past two years, COVID had always appeared to influence the numbers. Now that we have a full picture of 2021, it looks as if the vulnerability landscape has truly returned to normal. And while the normalization of the space may seem comforting, for struggling organizations, it is not. Vulnerabilities have increased by a noticeable margin, and 2021 can now be credited with the most disclosures on record.
Now that the vulnerability disclosure landscape has shaken off the COVID-19 pandemic, Risk Based Security (RBS) analysts predict that the number of vulnerabilities will continue to rise year-by-year.
There were 7,912 vulnerabilities across the top 10 products, making up 28% of all issues in 2021, with the report also stating that vulnerabilities are being disclosed too quickly for security teams to keep up with. According to RBS, routine “Patch Tuesday” events are responsible for creating the strained workloads that security teams currently face, with many of them releasing up to 300 vulnerabilities on a single day.
However, a surprising takeaway is that even CVE/NVD is struggling to match the volatility of the vulnerability landscape. Despite being viewed as the industry standard, CVE/NVD failed to report and detail 9,530 vulnerabilities last year, specifically having trouble identifying remote code execution entries.
Read the full report by Risk Based Security.