86% of software vulnerabilities patched on day 1
Software vulnerabilities more than doubled between 2012 and 2017, but vendors are doing a better job of patching the holes in a timely manner, with 86% of vulnerabilities having patches available on the day of disclosure.
These are among the key findings from Flexera’s latest Vulnerability Review. The annual report found that 19,954 vulnerabilities were documented in 2017, up 14% from 2016 and more than double the 9895 vulnerabilities recorded in 2012.
The results were based on Flexera’s monitoring of more than 55,000 applications, appliances and operating systems.
Flexera Director of Research and Security Kasper Lindgaard said the results show that companies are being exposed to an escalating number of security risks.
“There’s no question based on this year’s results, the risks remain high,” he said.
“As the potential for breaches expands, the pressure is on executives to increase vigilance through better operational processes — instead of reacting to risks that hit media headlines and cause disruption. The Equifax breach and WannaCry attacks taught us that.”
But only 14 of these reported vulnerabilities were zero-day — found by attackers and exploited before public disclosure — down from 23 in 2016. In addition, the proportion of vulnerabilities with patches available within 24 hours of public disclosure increased from 81% in 2016 to 86% last year.
“Organisations need to take advantage of this knowledge to remediate most vulnerabilities before risk of exploitation increases. But the process cannot be ad hoc,” Lindgaard said.
“Without a consistently applied patching methodology, organisations will slip, leaving vulnerabilities unpatched for long periods. This gives criminals a large window of opportunity to execute their attacks. We advise a formal, automated software vulnerability management process that leverages intelligence to identify risks, prioritise their importance and resolve threats.”
Darktrace has announced that a major airline will continue to use the company's cybersecurty...
The combined company has taken the name Trellix to reflect its focus on providing a foundation...
CyberRes has launched 'Galaxy', an 'immersive cyberthreat experience' that the...