Flexera Publishes Vulnerability Review 2018 – Global Trends Report Reveals All-Time High of 20,000 Vulnerabilities Last Year
Software Vulnerability Management Report Confirms that Despite Risk Increase, Organizations Remain Unprepared
Itasca, IL - April 3, 2018 Flexera, the company that’s reimagining how software is bought, sold, managed and secured, today released Vulnerability Review 2018 – Global Trends, the annual report from Secunia Research at Flexera. The report provides data on vulnerabilities to help companies understand the vulnerability landscape and devise strategies to secure their organizations. Vulnerabilities are a root cause of security issues – errors in software that can work as entry point for hackers, and be exploited to gain access to IT systems.
A Surge in Vulnerabilities
This year’s report reveals a continuing surge in vulnerability growth. In 2017 documented vulnerabilities increased 14 percent to 19,954, up from 17,147 in 2016. This means that companies are being exposed to an escalating number of security risks, underscoring the need to maintain continuous visibility of their software assets and the vulnerabilities affecting them. Companies also need to ensure critical vulnerabilities are prioritized and addressed before exploitation risk increases.
“There’s no question based on this year’s results, the risks remain high,” said Kasper Lindgaard, Director of Research and Security at Flexera. “As the potential for breaches expands, the pressure is on executives to increase vigilance through better operational processes – instead of reacting to risks that hit media headlines and cause disruption. The Equifax breach and WannaCry attacks taught us that.”
Avoiding Attack is Possible: 86 Percent of Patches Available on Disclosure Day
The Flexera report offers hope for companies seeking to minimize their risk of incidents. Patches were available for 86 percent of the vulnerabilities on the day of disclosure. In addition, zero-days – instances in which a vulnerability is exploited before public disclosure – remain rare. Only 14 of the 19,954 known vulnerabilities in 2017 were zero-days, a 40 percent drop from 2016.
“Organizations need to take advantage of this knowledge to remediate most vulnerabilities before risk of exploitation increases,” advised Lindgaard. “But the process cannot be adhoc. Without a consistently applied patching methodology, organizations will slip, leaving vulnerabilities unpatched for long periods. This gives criminals a large window of opportunity to execute their attacks. We advise a formal, automated software vulnerability management process that leverages intelligence to identify risks, prioritize their importance and resolve threats.”
Key Findings from the 2018 Vulnerability Review
- In 2017, Secunia Research at Flexera detected 19,954 vulnerabilities discovered in 1,865 applications from 259 vendors. This represents an increase of 38 percent over five years, and 14 percent when compared to the previous year.
- 86 percent of vulnerabilities had a patch available within 24 hours of disclosure, compared to 81 percent in the previous year.
- The number of zero-days – vulnerabilities exploited prior to public disclosure – dropped to 14, compared to 23 in the previous year.
- 17 percent of vulnerabilities in 2017 were ranked Highly Critical, and 0.3 percent as Extremely Critical.
- The primary attack vector to trigger an attack was via a remote network at 55 percent.
About the Vulnerability Review 2018
The annual Vulnerability Review from Secunia Research at Flexera analyzes the evolution of software security from a vulnerability perspective. It presents global data on the prevalence of vulnerabilities and the availability of patches, and maps the security threats to IT infrastructures.
Different approaches to counting vulnerabilities are adopted by research houses in the vulnerability management space. Secunia Research at Flexera counts vulnerabilities per product the vulnerability appears in. We apply this method to reflect the level of information customers need, to keep their environments secure, i.e. verified intelligence on all products affected by a given vulnerability.