A new report shows 2016 broke the previous all-time record for the highest number of reported vulnerabilities. The 15,000 vulnerabilities cataloged during 2016 by Risk Based Security eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by more than 6,500.
“Another record-breaking year in the number of vulnerabilities disclosed underlines the importance of relying on a proper vulnerability intelligence solution. For most companies, tracking vulnerabilities affecting their infrastructure has become a daunting task that is either too big to handle on their own or simply not financially viable compared to out-sourcing the tracking”, said Carsten Eiram, Chief Research Officer for Risk Based Security.
“While never designed for such use, we see too many companies still relying on CVE for vulnerability tracking. Many argue that it is at least better than nothing, but it presents too great a risk for organizations, as it lulls them into a false sense of security by mistakenly having them think they’ve got the most important vulnerabilities covered. Organizations need to understand that this is not remotely close to a feasible solution”, added Eiram.
In fact, almost half (6,659) of the published vulnerabilities in 2016 are not found in CVE/NVD. These include vulnerabilities in prevalent products. Over 1,391 of them received CVSS scores between 9.0 and 10.0. While the number of vulnerabilities has gone up, CVE covered 8.2% less in 2016 compared to their high-mark of 9,088 in 2014. Furthermore, 1,945 of the vulnerabilities in 2016 published with CVE identifiers are still missing details in the CVE database and thus missing from NVD.
20.5% of reported vulnerabilities received CVSS scores between 9.0 and 10.0. This means that not only has the number of vulnerabilities been increasing, but the CVSS scores are also trending higher over the last five years. 48.9% of 2016 vulnerabilities can be exploited remotely and 32.8% of 2016 vulnerabilities had an exploit that was public.
The report also revealed that while relationships between researchers and vendors can at times appear strained, they are continuing to attempt to work together. Vulnerabilities disclosed in a coordinated fashion with vendors rose to 44.9% in 2016.
“From operating systems and software installed on client and server systems to IoT and SCADA devices, vulnerabilities continue to be a major concern. Using metrics to help determine which vendors and products are putting your organization at risk needs to be a key part of your vendor risk management and procurement process.”, says Eiram.