2021 marks another record year for security vulnerabilities

2 years ago 455

The fig of caller information flaws recorded by NIST has already surpassed the full for 2020, the 5th record-breaking twelvemonth successful a row.

Patching information flaws is simply a challenging and seemingly never-ending chore for IT and information professionals. And that chore gets adjacent much hard each twelvemonth arsenic the fig of caller information vulnerabilities continues to rise. Based connected the latest stats from the National Institute of Standards and Technology Vulnerability Database, the measurement of information flaws has deed a grounds for the 5th consecutive twelvemonth successful a row.

SEE: Patch absorption policy (TechRepublic Premium)

As of Dec. 9, 2021, the fig of vulnerabilities recovered successful accumulation codification for the twelvemonth is 18,400. Breaking down that statistic for 2021 truthful far, NIST recorded 2,966 low-risk vulnerabilities, 11,777 medium-risk ones, and 3,657 of a high-risk nature.

For 2020, the fig of full vulnerabilities was 18,351. Some 2,766 were labeled debased risk, 11,204 ranked arsenic mean risk, and 4,381 categorized arsenic precocious risk. For the past 5 years, each twelvemonth has topped the erstwhile 1 with 17,306 full flaws recorded successful 2019, 16,510 successful 2018, and 14,645 successful 2017.

Why bash the fig of vulnerabilities support rising? In a blog station published Wednesday, Pravin Madhani, CEO and co-founder of information supplier K2 Cyber Security offered immoderate thoughts.

For this year, the coronavirus pandemic continued to punctual galore organizations to aggressively propulsion done connected digital transformation and unreality adoption, thereby perchance rushing their applications into production, Madhani said. That means the programming codification whitethorn not person gone done arsenic galore Quality Assurance trial cycles. It besides means that galore developers could person tapped into much third-party, bequest and open source code, different imaginable hazard origin for information flaws. In the end, organizations whitethorn person improved their coding but they've fallen down connected testing, according to Madhani.

"This decidedly jives with what we've seen," said Casey Ellis, laminitis and CTO astatine Bugcrowd. "Most simply, exertion itself is accelerating, and vulnerabilities are inherent to bundle development. It's a probability game, and the much bundle that is produced, the much vulnerabilities volition exist. In presumption of the spread, from a find standpoint, lower-impact issues thin to beryllium easier to introduce, easier to find and frankincense reported much frequently."

SEE: Password breach: Why popular civilization and passwords don't premix (free PDF) (TechRepublic)

One agleam spot successful the latest NIST information is the comparatively debased fig of high-risk vulnerabilities. The 3,657 labeled precocious hazard for 2021 shows a downward inclination from 2020 and the erstwhile fewer years. To explicate this dip, Madhani said that the little fig is apt owed to amended coding practices by developers. In adopting a "Shift left" strategy successful which investigating is performed earlier successful the coding cycle, developers person managed to spot a greater accent connected security.

Still, the wide results stay alarming and constituent retired the challenges that organizations look trying to support way of each their susceptible applications and different assets.

"It has go astir intolerable for organizations to make an close inventory of each of the IT assets connected to their enterprise," said Sevco Security co-founder Greg Fitzgerald. "The superior crushed for this is that astir enterprises person IT plus inventories that bash not bespeak their full onslaught surface, which successful modern enterprises extends beyond the web to see cloud, idiosyncratic devices, distant workers arsenic good arsenic each things on-premise. Until organizations tin commencement moving from a broad and close IT plus inventory, vulnerabilities volition support their worth to hackers and contiguous existent risks to enterprises."