The Origins of the Vulnerability Flood
According to CVE Details, the number of vulnerabilities reported to date in 2018 (6559) already tops the total number of vulnerabilities reported in all of 2016 (6447). If nothing dramatic changes, the list seems on track to at least match last year’s record of over 14,600 reported vulnerabilities, if not to top it.
In the current ecosphere, managing vulnerabilities has become more challenging owing to scale and diversity:
- Scale – The sheer scale of enterprise software has grown tremendously. Whereas solutions in use by the average enterprise once numbered in the tens, today smaller enterprise-class vendors with niche solutions are taking the place of all-inclusive packages from large traditional vendors. Both the number of vendors and the number of solutions have grown dramatically.
- Diversity – Companies are no longer bound to Windows or mega-vendors like IBM or Oracle. They’re adopting alternate operating systems, developing their own code, using open source code packages, third-party apps, and numerous infrastructure paradigms. This diversity is a positive development, but has led to more vulnerabilities being disclosed and greater exposure.
In this post, we drill down into where specifically the deluge of new vulnerabilities is coming from, what triggered the massive growth in reported vulnerabilities, and (most importantly) what we as security professionals should be doing about them.
Where do Vulnerabilities Come From?
Why are we seeing such dramatic growth in new vulnerabilities in recent years?
The story starts with the steep rise in organizational digital dependence – which would seem fairly self-explanatory. We all rely more heavily on digital devices to accomplish daily tasks, and organizations are no exception.
This unfamiliarity with network infrastructure creates an ever-growing burden on IT that directly affect how vulnerabilities can to be addressed.
Beyond the sheer growth of the digital realm, the number of reported vulnerabilities has been dramatically influenced by the adoption of agile development and DevOps methodologies. Why? Because today’s mission-critical software is continuously changing. Versions are brought to production in days or even hours as opposed to months. The push for hyper time-to-market translates into less inspection, less testing, and more vulnerabilities.
So There are More Vulnerabilities. So What?
Obviously, more vulnerabilities are a problem, or we wouldn’t be writing (and you wouldn’t be reading) this post. In a recent webcast, Josh Zelonis, a Forrester Research analyst specializing in vulnerability management called handling the sheer number of vulnerabilities, “One of the big challenges that we have as security professionals.”
But why are vulnerabilities a particularly acute challenge at this point? Here are two critical reasons, for starters:
1. Cloud rules the market.
When enterprise-class software assets and tools were primarily on-premise or in remote data centers with dedicated communications, things looked different. Exploitable vulnerabilities were tucked safely behind corporate firewalls and could be remediated at a comfortable pace – if they needed to be addressed at all. Today, most organizations are at least partially cloud-based. Many are completely on the cloud. This means that now, exploitable SaaS-based assets are exposed to anyone, anywhere. And, as we’ve seen in recent attacks exploiting a vulnerability in the open source enterprise CMS utility Drupal – attackers are like sharks circling, ready to move in at the first scent of blood, often before the fish even knows it’s bleeding.
2. More software, more vulnerabilities. Which to fix first?
With the growth in the number of vendors and multi-platform solutions in use in the modern enterprise, the number of vulnerabilities has skyrocketed. And it’s not always clear which vulnerabilities will have the most significant impact and are thus the most important to fix. With so many variables, prioritization needs to be based on the correctly-weighted fusion of technical severity, exploitability, and business impact.
3. Figuring out the right solution for each vulnerability
It’s not just the amount of vulnerabilities that has grown in the last few years. Today, there’s often a few different ways of remediating the same vulnerability. For example, there can be major and minor version updates, configuration changes, signature updates, etc. A recent high profile example of this is the ‘Drupalgeddon 2’ vulnerability which can be remediated at least four different ways. It’s simply impractical to manually find and test all the different fixes for each vulnerability in order to determine the best fix for your organization.
The Bottom Line
As the sheer number of vulnerabilities has grown – for the reasons discussed above and more – the scope of their influence has expanded, too. Now, it’s not just CISOs who have to worry about vulnerabilities and patching. With new privacy regulations like GDPR already in place, board members and C-level executives are now responsible for ensuring processes are in place that minimize risk – including vulnerability management. This translates into real personal criminal and civil liability – beyond the potential for damage to brand equity and negative impact on revenues.
What can be done to handle this flood of vulnerabilities? Clearly, a new vulnerability management paradigm is long overdue – and Vulcan has created one. But first, we’ve just released an eBook about this very subject. Grab your free copy here