View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Expect a Record 20,000 Vulnerability Reports in 2020, Warns Skybox

"If a security program bases vulnerability prioritization solely on CVSS scores, it could waste resources patching a vulnerable asset protected by layers upon layers of defense–in–depth security controls"

By CBR Staff Writer

A string of hugely high profile security vulnerabilities in July across widely used software from F5 Networks, Microsoft, Oracle, and SAP cast a fresh light on the challenges CISOs face in keeping enterprises defended.

Now a new report from California-based Skybox Security — a specialist in attack surface visibility — drives home the scale of the challenge, with the finding that there have been 9,799 unique vulnerability reports in the first half of 2020 alone; setting the world on track to see a record 20,000 vulnerabilities in 2020.

The first half volume of software security vulnerability reports is a 34% increase on last year’s 7,318. It is, arguably, good news, reflecting the increased effort being put into vulnerability research by vendors and third parties. (Android, OpenShift, and Windows are among those to have seen the greatest rise in reported vulns).

New vulnerabilities for 2020’s most vulnerable products by bugs reported. Credit: Skybox Security

New on the List…

Of the five new products on the list above of, three are business apps (IBM API Connect, Red Hat OpenShift, Oracle E–Business Suite). The other two — Edge Chromium and iPad OS — are commonly deployed in workstation, domestic and commercial environments, emerging from “non-existence” to become what Skybox describes as “patch-hungry weak points” that demand admin attention.

Critical–severity vulnerabilities make up 15 percent of all new reports, Skybox notes.

And while the blockbuster bugs — like the string of those in July scoring a maximum 10.0 on the CVSS framework (a way of assessing the characteristics and severity of software vulnerabilities)  — get much of the attention, including for remediation, a generic approach to prioritisation can be risky, the security firm notes.

“Although organizations are naturally inclined to prioritize the remediation of critical– and high–severity vulnerabilities… this generic approach to prioritization could allow attackers to take advantage of any exposed medium vulnerabilities.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

“Criminals know that medium–severity flaws can sit unpatched within an organization’s systems for a long period; depending on where these flaws exist, they could give an attacker access to a critical asset or enable lateral movement.”

Security programmes need to have established processes to “contextualize ulnerabilities
based on exposure, exploitability and other factors to keep remediation focused on critical risks”, Skybox emphasises: “If a security program bases vulnerability prioritization solely on CVSS scores, it could waste resources patching a vulnerable
asset protected by layers upon layers of defense–in–depth security controls.”

See also: Nearly Half of CISOs Have “Given Up” on Proactive Approach to Security

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.