NopSec Report Finds Organizations Use Inadequate Risk Evaluation Scoring System

Share Article

NopSec Releases 2016 State of Vulnerability Risk Management Report Revealing Outdated Widespread Risk Evaluation Method and Prominent Role of Social Media

2016 State of Vulnerability Risk Management Report

2016 State of Vulnerability Risk Management Report

The report reveals key security threats by industry, cross-industry remediation developments, malware-based vulnerabilities, and the rising correlation of social media and security threats.

NopSec, a leading provider of cybersecurity precision threat prediction and remediation solutions, today released a new report, “2016 State of Vulnerability Risk Management.” The report reveals key security threats by industry, cross-industry remediation developments, malware-based vulnerabilities, and the rising correlation of social media and security threats. Conducted by the NopSec Labs research team, the report analyzes over a million unique vulnerabilities and more than 76,000 vulnerabilities contained in the National Vulnerability Database over a 20-year period. Get the report now.

“Our goal with the dedicated data science and security research efforts is to provide organizations with a deeper data-driven insight to the current threat landscape, and more importantly, what practical actions companies can take to effectively prioritize and remediate security risks,” noted NopSec’s CEO, Lisa Xu. “Our ultimate mission is to help and empower organizations to make better decisions to reduce their cyber security exposure.”

In the 2016 Report, NopSec partnered with FireEye Labs to evaluate the malware-based risk of vulnerabilities and their potential risks to be “weaponized” by active malware in the wild.

“Vulnerability management and mitigation can be more effective and prioritized on vulnerabilities used by malicious attackers in the wild where critical assets are exposed,” said Geok Meng Ong, director, FireEye Labs, FireEye.

Top findings include:

The CVSS base score is not enough - Relying solely on the CVSS Base Score makes it impossible to prioritize vulnerability risks, but its subscores combined with other factors such as context, social media trend analysis, and data feeds deliver a better risk evaluation and prioritization.

Social media is now a top platform for cybersecurity - Twitter is becoming one of the top platforms for security researchers and attackers looking to disseminate proof-of-concept exploits. Vulnerabilities associated with active malware are tweeted 9 times more than vulnerabilities with just a public exploit and 18 times more than all other vulnerabilities. NopSec’s Unified VRM is the only vulnerability risk management platform in the industry that incorporates Twitter data into its risk ranking evaluation.

Hacking difficulty won’t stop a hacker - The report indicates that attackers care less about how easy a vulnerability is to exploit, and more about the actual impact and outcome of the the exploited vulnerability. 75% of exploited vulnerabilities resulted in high data loss, while only 20% of vulnerabilities without a public exploit experienced complete data loss.

Exploit techniques are more sophisticated than ever - Exploit kits such as Angler and Nuclear are becoming increasingly sophisticated, integrating a wide range of Microsoft, Adobe Flash, and Oracle Java exploits with 98% of the exploits tracked by FireEye coming from those three vendors.

“Relying only on the CVSS score to drive prioritization for applying patches needs to change. Organizations need to align the patching methodology to the infrastructure risk, business risk and change risk,” said Arnold Felberbaum, Strategic Advisor to NopSec, former CISO, and adjunct professor in Information Security at NYU Tandon School of Engineering. “As NopSec points out in their research, CVSS needs to be complemented with industry intelligence, social media and measures already operating. Organizations need to recognize that it is not about ‘if’ a patch needs to be applied but when. Patching consumes resources and automation can reduce the resource drain.”

From the outset, NopSec has focused on pioneering a way to measure vulnerability risk based on threats to the organization’s valuable assets in an event of a potential breach. NopSec’s award-winning Unified VRM SaaS platform utilizes patented Adaptive Expert Intelligence Engine to detect and prioritize threats, and automate the remediation workflow.

“The security industry has been in need of a reality check on vulnerability data for some time,” said Adrian Sanabria, Analyst for 451 Research. “We’ve been vocal about the dangers of taking CVSS scores at face value and the need to correlate vulnerabilities with real world threat intelligence and expert experience. NopSec has taken this approach and explores the relationships between CVSS scores, social media activity, threat data courtesy of FireEye, and data from NopSec’s own customer base. The results should make companies think twice before spending considerable time and budget, fixing a vulnerability labeled ‘critical’.”

Download the 2016 State of Vulnerability Risk Management Report or Register for the webinar to explore the findings in more detail.


NopSec provides precision threat prediction and remediation workflow solutions to help businesses protect their IT environments from security breaches. The company’s flagship product, Unified VRM, is a SaaS solution that provides intelligent context to vulnerability data, enabling security teams to visually forecast threat risk to dramatically reduce the turnaround time between identification and remediation of critical security vulnerabilities across infrastructure and applications. NopSec has been recognized as one of the 20 Most Promising Enterprise Security Companies by CIO Review , an SC Magazine 2016 Trust Award Finalist, and named to CRN's list of Emerging Security Technology Vendors for four consecutive years. NopSec also offers penetration testing and adversarial simulation services. For more information, please visit

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Kelly Hall
+1 (917) 983-3862
Email >
since: 09/2009
Follow >
since: 12/2015
Like >

Follow us on
Visit website