View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Expect a Record 20,000 Vulnerability Reports in 2020, Warns Skybox

"If a security program bases vulnerability prioritization solely on CVSS scores, it could waste resources patching a vulnerable asset protected by layers upon layers of defense–in–depth security controls"

By CBR Staff Writer

A string of hugely high profile security vulnerabilities in July across widely used software from F5 Networks, Microsoft, Oracle, and SAP cast a fresh light on the challenges CISOs face in keeping enterprises defended.

Now a new report from California-based Skybox Security — a specialist in attack surface visibility — drives home the scale of the challenge, with the finding that there have been 9,799 unique vulnerability reports in the first half of 2020 alone; setting the world on track to see a record 20,000 vulnerabilities in 2020.

The first half volume of software security vulnerability reports is a 34% increase on last year’s 7,318. It is, arguably, good news, reflecting the increased effort being put into vulnerability research by vendors and third parties. (Android, OpenShift, and Windows are among those to have seen the greatest rise in reported vulns).

New vulnerabilities for 2020’s most vulnerable products by bugs reported. Credit: Skybox Security

New on the List…

Of the five new products on the list above of, three are business apps (IBM API Connect, Red Hat OpenShift, Oracle E–Business Suite). The other two — Edge Chromium and iPad OS — are commonly deployed in workstation, domestic and commercial environments, emerging from “non-existence” to become what Skybox describes as “patch-hungry weak points” that demand admin attention.

Critical–severity vulnerabilities make up 15 percent of all new reports, Skybox notes.

And while the blockbuster bugs — like the string of those in July scoring a maximum 10.0 on the CVSS framework (a way of assessing the characteristics and severity of software vulnerabilities)  — get much of the attention, including for remediation, a generic approach to prioritisation can be risky, the security firm notes.

“Although organizations are naturally inclined to prioritize the remediation of critical– and high–severity vulnerabilities… this generic approach to prioritization could allow attackers to take advantage of any exposed medium vulnerabilities.”

Content from our partners
The growing cybersecurity threats facing retailers
How to integrate security into IT operations
How Kodak evolved to tackle seismic changes in the print industry and embrace digital revolution

“Criminals know that medium–severity flaws can sit unpatched within an organization’s systems for a long period; depending on where these flaws exist, they could give an attacker access to a critical asset or enable lateral movement.”

Security programmes need to have established processes to “contextualize ulnerabilities
based on exposure, exploitability and other factors to keep remediation focused on critical risks”, Skybox emphasises: “If a security program bases vulnerability prioritization solely on CVSS scores, it could waste resources patching a vulnerable
asset protected by layers upon layers of defense–in–depth security controls.”

See also: Nearly Half of CISOs Have “Given Up” on Proactive Approach to Security

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED
THANK YOU