Articles about Vulnerability management

A new report from Zafran Security shows that enterprise risk management is shifting from volume to value, and from patching everything to fixing what matters most.

The study, carried out by Foundry MarketPulse, reveals that only one in 50,000 vulnerabilities actually pose a critical risk -- and the ones getting exploited the most are often old, quiet, and ignored.

Continue reading →

Nearly every organization today builds a lot of software, and the majority of that software is developed by cobbling together open source components. When using open source and trying a software composition analysis (SCA) scanner for the first time, it is not uncommon for those organizations to be surprised at what they learn about their open source usage. Many times it quickly comes to light that they have a large load of new and unplanned work to address in the form of security issues in dependencies. They need to fix these issues not just for the organization itself but also to stay compliant with certifications such as PCI or SOC2.

That’s when these organizations begin to experience the five stages of vulnerability management.

Continue reading →

A new report from crowdsourced security company Intigriti highlights the need for strong cybersecurity practices and service-level agreements (SLAs) for vulnerability management.

Globally, 75 percent of businesses fail to respond to critical vulnerabilities within 24 hours, consequences of which could include customer dissatisfaction, loss of business, and reputational damage.

Continue reading →

Adversaries are exploiting new vulnerabilities much faster than organizations are remediating them. As a result, prioritizing the wrong vulnerabilities will squander security teams' most critical resource -- time.

So, how can organizations prioritize the right threats? We spoke with Anthony Bettini, founder and CEO of VulnCheck, to find out.

Continue reading →

New research from SynSaber, along with the ICS Advisory Project, into industrial control operational technology system vulnerabilities finds that 34 percent of the CVEs reported in the first half of 2023 currently have no patch or remediation available from the vendor.

This compares to the 35 percent that had no fixes in the second half of 2022 but is a significant increase from the 13 percent in the first half of last year.

Continue reading →

A new report uncovers a worrying 25 percent increase in the total number of new vulnerabilities published in 2022.

The latest Vulnerability and Threat Trends Report from the Skybox Security Research Lab shows 25,096 new vulnerabilities published last year, representing the largest year-on-year rise seen since 2017.

Continue reading →

A new study, based on the results of more than 1,700 audits of commercial and proprietary codebases involved in merger and acquisition transactions, finds 84 percent contain at least one known open source vulnerability, an increase of almost four percent from last year.

The Open Source Security and Risk Analysis (OSSRA) report, produced by the Synopsys Cybersecurity Research Center (CyRC), shows growing use of open source. In the education technology sector it's grown by 163 percent, with educational courses and instructor/student interactions increasingly pushed online.

Continue reading →

More and more connected systems are being used to deliver the essentials of our everyday lives. From the water and power that comes into our homes to the medical treatment we receive, the 'Extended Internet of Things' (XIoT) is involved.

A new report on the state of XIoT security from Claroty's Team82 researchers shows vulnerabilities in these cyber-physical systems disclosed in the second half of 2022 declined by 14 percent since hitting a peak in 2021. At the same time vulnerabilities found by internal research and product security teams have increased by 80 percent over the same period, indicating that vendors are taking the risk seriously.

Continue reading →

The latest report from JFrog looks at the most prevalent vulnerabilities in 2022 with an in-depth analysis of open source security vulnerabilities that have most impact for DevOps and DevSecOps teams.

The report shows that the severity of six of the top 10 CVEs was overrated, meaning they scored higher in the NVD rating than in JFrog's own analysis. In addition the CVEs appearing within enterprises most frequently are low-severity issues that were simply never fixed.

Continue reading →

Due to the nature of modern software design and the sharing of open source images, security teams face a large number of container vulnerabilities according to a new report.

The study from Sysdig, based on real-world data sets covering billions of containers, thousands of cloud accounts, and hundreds of thousands of applications, finds 87 percent of container images have high or critical vulnerabilities.

Continue reading →

New research, from ICS/OT cybersecurity firm SynSaber, has analyzed over 900 CVEs reported in industrial control systems in the second half of 2022 and finds that 35 percent have no patch or remediation available.

Only 56 percent of the CVEs have been reported by the original equipment manufacturer (OEM), while 43 percent have been submitted by security vendors and independent researchers. A firmware update is required to fix 33 percent.

Continue reading →

In this article, I will try to answer several important questions related to identifying, classifying, prioritizing, and eliminating vulnerabilities in a timely manner, as well as how to automate the vulnerability management process.

Let me start the article by defining the classic process of finding and eliminating vulnerabilities.

Continue reading →

Organizations are losing thousands of hours in time and productivity dealing with a massive backlog of vulnerabilities that they have neither the time or resources to tackle effectively, according to a new report.

The State of Vulnerability Management in DevSecOps report from vulnerability management platform Rezilion and the Ponemon Institute, shows 47 percent of security leaders report that they have a backlog of applications that have been identified as vulnerable.

Continue reading →

Despite the fast changing nature of the world of cybersecurity, it seems that when it comes to vulnerabilities there's still a place for the golden oldies.

New research by Rezilion find that more that 4.5 million internet-facing devices are still vulnerable to vulnerabilities discovered between 2010 to 2020. What's more, for most of these vulnerabilities, active scanning/exploitation attempts have taken place in the past 30 days too.

Continue reading →

According to new research only three percent of 'critical' code vulnerabilities are attackable, which means developers should be able to better prioritize efforts and significantly reduce their workload.

The study from automated security testing firm ShiftLeft finds that focusing on the three percent allows teams to greatly speed up and simplify efforts. ShiftLeft saw a 37 percent improvement from last year in mean time to remediate new vulnerabilities with a median scan time of 1 minute 30 seconds.

Continue reading →