With all the progress made in confronting cybersecurity challenges in today’s constantly-connected environment, you’d think vulnerabilities introduced two decades ago would no longer be causing problems.
That’s a wrong assumption, according to edgescan, which specializes in Software-as-a-Service and cloud-based delivery of vulnerability management solutions, in the company’s recent “2019 Vulnerability Stats Report”.
Common Vulnerability (or CVE) issues that date back as far as 1999 still exist in live internet-facing systems, with nearly 82% of systems having at least one CVE, and nearly 21% of those systems have more than 10, according to the report.
More than 80% of all vulnerabilities in enterprise IT systems are network vulnerabilities, with less than 20% in the application vulnerability space, but “the area of exposure is still in the application layer,” according to the report, with 19% of application vulnerabilities marked as either high or critical risk, compared to just 2% of network vulnerabilities.
“This year we took a deeper look at vulnerability metrics from a known vulnerability (CVE) and visibility standpoint,” wrote Eoin Keary, founder of edgescan. “We still see high rates of known/patchable vulnerabilities which have working exploits in the wild, which possibly demonstrates it is hard to patch production systems effectively on a consistent basis.”
According to edgescan’s research, it takes an average enterprise nearly 70 days to patch a critical web application vulnerability, and almost as much time to patch the same in infrastructure layers. In 2018, edgescan found a total of more than 750 exposed databases, and 7,625 Remote Desktop Services (RDP).
“Many breaches via hacking attacks and malware are preventable,” the report reads. “Activities such as security integration into the SDLC, DevSecOps, patch management, continuous vulnerability management and continuous asset profiling (i.e. visibility), can help us identify and mitigate such weaknesses before we deploy systems, or at least before they become a real problem.”
To address these still-common CVE problems, edgescan offers a list of potential solutions, including having application security as a board-level conversation in every organization; result-oriented management sponsorship for application security, to help raise every organization’s security posture; rewarding development teams and the consideration of gamification (including metrics and measuring the security posture of businesses applications); giving security heads the resources and services required to identify and fix vulnerabilities in software and supporting hosting environments; and working with IT and operations to apply scheduled maintenance windows.