10 Stats on the State of Vulnerabilities and Exploits

76% of all applications have at least one vulnerability 1 in 5 organizations do not test their software for security flaws 80% of public exploits are published before CVEs are released

  • 76% of all applications have at least one vulnerability
  • 1 in 5 organizations do not test their software for security flaws
  • 80% of public exploits are published before CVEs are released

The latest data breach figures show that even as breach incidents grow slightly less plentiful, the impact of each incident continues to mount both in terms of volume of exposed data and cybercrime losses. One estimate shows that cyber losses are up by 50% in the last year and numbers are mounting.

Much of the vulnerability and exploit data indicates that the criminals are growing more strategic with how they take advantage of weaknesses in software and infrastructure—meanwhile, businesses and other entities struggle as ever to tamp down on the flaws in their code and software design.

The following are 10 stats that show where we stand nearing the end of 2020 with regard to the state of cybersecurity vulnerabilities and exploits.

76% of all applications have at least one vulnerability

In spite of all of the effort and money spent on application security today, completely eradicating vulnerabilities from software is a very difficult task. The recent State of Software Security (SOSS) report from Veracode shows that 76% of all applications have at least one vulnerability. The most common types of flaws found within the software analyzed by this study were: information leakage, CRLF injection, cryptographic issues, code quality, and credentials management.

The good news is that most software isn’t afflicted by catastrophic flaws. The study showed that only 24% of software contains one or more high-severity vulnerabilities.

Source: https://www.veracode.com/state-of-software-security-report

80% of attacks use vulnerabilities reported three or more years ago

The first half of 2020 was busy with cybercriminal activity, and the broadest volume of attacks are still fueled by old, unpatched vulnerabilities. According to a study of attacks across the first half of 2020, approximately 80% of the observed attacks utilized vulnerabilities reported and registered in 2017 and earlier.

A statistically significant number of those were from either farther back in the timeline—approximately one in five attacks used vulnerabilities that are at least seven years old.

Source: https://www.checkpoint.com/downloads/resources/cyber-attack-trends-report-mid-year-2020.pdf

Half of all vulnerabilities remain unfixed six months after discovery

The SOSS report found that when researchers track progress at organizations in mitigating vulnerabilities found through security testing, that approximately 73% of flaws are closed or remediated between the first and last scan conducted by the organization. Among those closed flaws it takes a median of 86 days to fix them. Meantime, amid the remaining 27% of open flaws, half of them have been open for 216 days and counting.

In order to get a better picture of how long it takes to fix flaws across both open and closed samples, the researchers came up with what they call the vulnerability half-life measurement, which is the length of time it takes for at least half of all flaws to be fixed. Today that stands at six months. Taking it further, they found that one in four flaws remain open after a year and a half.

Source: https://www.veracode.com/state-of-software-security-report

84% of companies have high risk vulnerabilities on their network perimeter

A study of enterprise networks across finance, manufacturing, IT, retail, government, and advertising organizations showed that 84% of firms had high-risk vulnerabilities existing on their perimeter devices and software. Further, 58% had such vulnerabilities for which there exist publicly available exploits.

The study spanned across scans of over 3500 hosts on these corporate networks. It shows that one in 10 vulnerabilities found have a publicly available exploits and about half of them could be mitigated by simply installing the latest software update.

Source: https://www.ptsecurity.com/ww-en/analytics/vulnerabilities-corporate-networks-2020/

Three of the top 10 vulnerabilities most exploited in US targets by foreign actors are in Microsoft OLE

Earlier this year the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government released results of a study of the top 10 most exploited vulns from 2016 through 2019. The most favored flaws by the bad guys were those found in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets, and three of the top 10 were found in this technology.

Meantime, CISA says that as attack trends have shifted to target remote workers that VPN vulnerabilities are increasingly in the crosshairs. Exploits against VPN flaws are shaping up to be one of the most popular in 2020.

Source: https://us-cert.cisa.gov/ncas/alerts/aa20-133a

Bug bounty discoveries of improper access control (IAC) flaws are up 134% this year

Vulnerabilities in both code and design of software involving access restrictions can make it easier for attackers to compromise systems and steal sensitive data. These improper access control (IAC) flaws are increasingly on the radar by bug bounty researchers, posting the biggest increase in found flaws in 2020.

The IAC category rose from ninth place to second place in the top 10 vulns found by these researchers. It trailed only behind cross-site scripting (XSS) flaws.

Source: https://www.techrepublic.com/article/the-10-vulnerabilities-most-commonly-discovered-by-bug-bounty-hunters-in-2020

One in five organizations do not test their software for vulnerabilities

A new Ponemon report on application security trends shows that while 56% of organizations now test for security flaws throughout their application development lifecycles, 20% do not do any testing whatsoever.

For most organizations—63%–application security testing for flaws usually encompass a combination of different methodologies. This includes penetration testing, dynamic application security testing, interactive application security testing (IAST), software composition analysis (SCA), and static application security testing (SAST).

Source: https://www.hcltechsw.com/wps/portal/products/appscan/ponemon-report

80% of public exploits are published before CVEs are published

The cybercriminal economy works quickly, as attackers seek to strike while the iron is hot. According to recent research, 80% of public exploits are developed and released before a CVE is published for a targeted vulnerability.

Among all public exploits, on average they’re published 23 days before CVE release. Among those exploits published after CVE release, 50% were published within the first month of that release.

Source: https://unit42.paloaltonetworks.com/state-of-exploit-development/

69% of malware today exploits zero-day vulnerabilities

Recent research on attacks in Q2 of 2020 shows that over two-thirds of malware detections involved some form of zero-day exploit. Zero-day malware attack attempts hit organizations more than 10 million times in just that quarter, representing a 12% increase over the previous quarter.

The same study showed that overall malware attack attempts are slightly decreasing, indicating that criminals are growing more focused on their vulnerability targets.

Source: https://www.infosecurity-magazine.com/news/evasive-malware-rise-decline/

Microsoft had 150% more vulnerabilities disclosed in Q2 2020 than all of 2019

There’s been a massive wave of newly disclosed Microsoft vulnerabilities in 2020. At the midway point of the year, Risk Based Security reported that the number vulnerability disclosures for Microsoft in Q2 alone was 150% higher than for all of 2019. The most flaws were found in Windows 10, followed up by various flavors of Windows Server.

That trend just continues, as in the four Patch Tuesdays following the mid-year point Microsoft has released an average of 115 new disclosures each time.

Source: https://pages.riskbasedsecurity.com/en/2020-mid-year-vulnerability-quickview-report