Vulnerabilities up 18% in 2014
More than 15,400 vulnerabilities identified in 2014, says recent Secunia report
There was an 18% increase in the number of application vulnerabilities found between 2013 and 2014, as well as a 22% increase in the number of products with vulnerabilities, according to the Secunia Vulnerability Review 2015, released this week.
According to the report, 15,435 vulnerabilities across 3,870 applications were recorded in 2014. These applications were published by 500 different vendor, the report added.
Vulnerabilities are errors in software that can work as an entry point for hackers, and can be exploited to gain access to IT systems. Secunia said that it had noted increasing numbers of vulnerabilities in recent years.
"Every year, we see an increase in the number of vulnerabilities discovered, emphasizing the need for organizations to stay on top of their environment," said Kasper Lingaard, director of research and security, Secunia.
"IT teams need to have complete visibility of the applications that are in use, and they need firm policies and procedures in place, in order to deal with the vulnerabilities as they are disclosed."
Secunia said that obtaining full visibility into applications is not always an easy task for some organisations. The company cited the fact that vendors bundle their products with open-source applications and libraries, and the fact that not all vendors can be trusted to patch vulnerabilities in a timely fashion, as some of the main reasons for this.
"In fact, as examples in the Secunia Vulnerability Review show, when we look at the number of days lapsed between the times when OpenSSL vulnerabilities were disclosed, until third-party vendors informed of their product being vulnerable, we find that there is no general pattern to response times," Lindgaard said.
"Consequently, organisations can not presume to be able to predict which vendors are dependable and quick to react, when vulnerabilities are discovered in products bundled with open-source libraries."
However, for those applications that are known to the security teams, the data for 2014 was slightly encouraging. Of the 15,435 vulnerabilities, full 83% had a security patch available on the day the vulnerability was disclosed to the public. Secunia said that this number represented a continued improvement in time-to-patch, particularly when taking a retrospective view of the last six years and the low of 49.9% recorded in 2009.
"But numbers also show that while an impressive 83% of vulnerabilities have a patch available on the day of disclosure, the number is virtually unchanged when we look 30 days ahead," said Lindgaard.
"Thirty days on, just 84.3% have a patch available which essentially means that if it isn't patched on the day of disclosure, chances are the vendor isn't prioritising the issue. That means you need to move to plan B, and apply alternative fixes to mitigate the risk."