Total Published CVEs Hits Record High for Fourth Year
The past 12 months have seen a record number of CVEs published by the US authorities, the fourth year in a row volumes have risen.
As of December 15, the number of vulnerabilities in production code discovered and assigned a CVE number by the US-CERT Vulnerability Database, topped the 2019 figure.
Last year there were 17,306 CVEs published, including 4337 high-risk, 10,956 medium-risk and 2013 low-risk flaws. As of yesterday, 17,447 were recorded in total, including 4168 high-risk, 10,710 medium-risk and 2569 low-risk bugs.
Between 2005-16 numbers ranged from around 4000 to 8000 vulnerabilities each year, according to the official figures from the National Institute of Standards and Technology (NIST)’s National Vulnerability Database.
However, in 2017 the number skyrocketed to over 14,000, and each year since published volumes have hit a record high.
K2 Cyber Security, which noticed the recent record spike, argued that the pandemic may have had an impact on disclosures this year.
“Companies still struggle to find the balance between getting applications to market quickly, and securing their code. The COVID-19 pandemic is a major factor this year,” argued the vendor’s co-founder and CEO, Pravin Kothari.
“It's pushed many organizations to rush getting their applications to production; they run less QA cycles, and use more third-party, legacy, and open source code, which is a key risk factor for increased vulnerabilities.”
To mitigate these risks, DevOps teams should shift security as far left in the lifecycle as possible, while sysadmins should patch as soon as they can to ensure operating systems and critical software are up-to-date, he said.
“Finally, it’s important to have a security framework that offers a defense-in-depth architecture. It’s time to take a hint from the recent finalization of NIST’s SP800-53 that was just released on September 23,” said Kothari.
“The new security and privacy framework standard now requires Runtime Application Self-Protection (RASP) as an added layer of security in the framework.”