04 Mar Cybersecurity Vulnerabilities Report
Cybersecurity Vulnerabilities Report
A SPECIAL REPORT FROM THE EDITORS AT CYBERSECURITY VENTURES
Q3 2015
The Cybersecurity Vulnerabilities Report provides vulnerability management trends, statistics, best practices, and resources for chief information security officers (CISOs) and IT security staff.
VULNERABILITY MANAGEMENT
Heartbleed exploits persist due to sloppy practices in $9 billion security and vulnerability management market.
- Vulnerability management is a key area where defenders (internal security teams) and builders (software development teams) must work together to identify and repair serious security vulnerabilities as quickly as possible, according to “The SANS Institute 2015 State of Application Security Report”. In their survey, SANS states 26 percent of internal security teams took two to seven days to deploy patches to critical apps in use, while another 22 percent took eight to 30 days, and 14 percent needed 31 days to three months to deploy patches satisfactorily.
- The SANS Institute report indicates that for nearly half of organizations – vulnerabilities in production apps are patched through quick-and-dirty fixes or other short-term workarounds, such as disabling a feature or function in the app – a very troubling statistic.
- 7,038 new security vulnerabilities were added to the National Vulnerability Database (NVD) database in 2014. That was an average of 19 new vulnerabilities per day. NVD is a federally funded repository of cyber-vulnerability data maintained by the National Institute of Standards and Technology (NIST).
- NVD statistics indicate 24 percent of the vulnerabilities added in 2014 were rated as high severity. Third-party applications were the source of 80 percent of vulnerabilities. Operating systems were responsible for 13 percent of vulnerabilities, and hardware devices for 4 percent. The top 3 operating systems by number of vulnerabilities: Apple Mac OS (147); Apple iOS (127); and Linux Kernel (119). It is interesting to note that Microsoft operating systems are no longer in the top 3. The top 3 applications by number of vulnerabilities were web browsers: Microsoft IE (242); Google Chrome (124); and Mozilla Firefox (117).
- A report by 451 Research states that in some industries, the average time to fix a vulnerability is 176 days. As a result, the window of opportunity for hackers remains wide open.
- “Heartbleed was a landmark and catastrophic security bug that corporate security managers got stung by, and the entire IT community is now intimately familiar with — and surprisingly (or maybe not so surprisingly) there are still a lot of unprotected web servers at risk of further exploit by Heartbleed.” says Steve Morgan, Editor-In-Chief of the Cybersecurity Market Report.
- OpenSSL is used by over 60 percent of websites worldwide to encrypt personal data, according to Digital Defense, Inc. (DDI), a leading provider of vulnerability management solutions to corporations globally. Michael Cotton, Vice President, Research and Development for DDI says “the SSL Heartbleed flaw was a ‘once-a-decade’ critical security flaw that will have a lasting impact for years to come. Because OpenSSL is so widely used in various software and hardware applications, nearly all organizations were (and still may be) impacted in some way.”
- The “Cisco 2015 Annual Security Report” contains results from the “Cisco Security Capabilities Benchmark Study”, which surveyed Chief Information Security Officers (CISOs) and Security Operations (SecOps) executives at 1,700 companies in nine countries, and revealed that 56 percent of all installed OpenSSL versions are still over four years old. This startling data indicates that many corporations remain vulnerable to Heartbleed.
- The security and vulnerability management market is forecast to be worth over $9 billion USD by 2019, at a CAGR of 10.7 percent during the forecast period, according to Markets and Markets.
Join the Cybersecurity Ventures Newsletter to stay on the cutting edge.
Steven C. Morgan, Editor-In-Chief
- is Founder and CEO at Cybersecurity Ventures, and Editor-In-Chief of the Cybersecurity Market Report and the Cybersecurity 500 list of the world’s hottest and most innovative cybersecurity companies. Steve writes the weekly Cybersecurity Business Report for IDG’s CSO, and he is a contributing writer for several business, technology, and cybersecurity media properties.
© 2015 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.