This report offers an analysis into current trends in vulnerability risk management. It examines the attributes of security vulnerabilities viewed through a variety of lenses.
NEW YORK (PRWEB) August 08, 2018
NopSec, a world leader in cybersecurity analytics, threat and vulnerability risk management and remediation, today released a new report, "The 2018 State of Vulnerability Risk Management".
This report offers an analysis into current trends in vulnerability risk management. It examines the attributes of security vulnerabilities viewed through a variety of lenses:
- Attributes of vulnerabilities published since 2002 versus those only recently published
- Attributes of all vulnerabilities published in the National Vulnerability Database (NVD) in contrast with only those uploaded into our platform by our clients
- Vulnerabilities broken down by industry vertical, CVSS score, product vendor and active exploitation in the wild
"NopSec continues to explore new data, methods and techniques to better understand and prioritize vulnerability data," notes NopSec's CTO, Michelangelo Sidagni. "Our mission is to empower cyber security and risk professionals to make better decisions to reduce their cyber risk exposure. In this sense, not all vulnerabilities are created equal."
Top findings include:
- We found that approximately 21% of CVEs published have associated exploit code in the Exploit Database alone. However, only 1.6% have associated Metasploit modules. Less than 2% (1.92%) have been linked to malware. Roughly 95% of vulnerabilities ranked as high have never been linked to malware seen in the wild.
- 44% of CVEs associated with malware were scored as medium or low on the CVSS scale, suggesting that focusing solely on CVEs with high scores (7+) would be a mistake.
- NopSec has found that the language used in CVE descriptions lends clues to the fate of vulnerabilities. For example, approximately half of all descriptions of vulnerabilities linked to malware include words “allows remote”.
- Vendors most likely to be associated with malware vary significantly, depending on whether all CVE data is taken into consideration, or just the last 18 months’ worth. For example, OpenSSL is most commonly associated with malware when considering all CVEs, whereas Canonical (Ubuntu) takes the top spot when considering only recently published CVEs.
- Only half of the Top 20 vulnerabilities derived from NopSec client data can be fixed with a patch. The remainder represent configuration issues to be fixed or insecure cryptographic algorithms or protocols to be disabled.
Download the Report now to explore the findings in more detail.
NopSec provides automated IT security control measurement and risk remediation to help businesses protect environments from security breaches. The company's flagship SaaS product, Unified VRM, utilizes passive analysis, active exploitation and contextual enrichment to visually forecast threat risk, and dramatically reduce the time to remediation of critical vulnerabilities across infrastructure and applications. For more information, visit http://www.nopsec.com or follow us on Twitter @nopsec.