Trends in vulnerabilities and threats evolve as the technology landscape changes. The vulnerability landscape has changed tremendously over the last couple of years which has prompted many organizations to question whether their current methodologies for vulnerability management are sustainable moving forward.
With 2019 just around the corner, vulnerability remediation is going to be more important than ever. Forecasting vulnerability trends for this upcoming year can help organizations be proactive in making needed adjustments in their vulnerability management program to stay effective while managing risk.
Let’s take a look at five trends we expect to see in 2019.
1) Continued Growth in the Number of Vulnerabilities
There are already over 15,000 reported vulnerabilities so far this year, compared to a total of 14,714 vulnerabilities for all of 2017- at this rate the year will end with 16,000 vulnerabilities disclosed. With the increase in vendors, products, and multi-platform solutions available today, it’s no wonder the number of vulnerabilities continues to grow.
2) Growth in Critical Vulnerabilities
Since the beginning of 2017, there have been 8078 vulnerabilities rated as critical, up from 4887 from 2015 -2016 . The growth in critical vulnerabilities is highlighted by Kelly Sheridan, editor of Dark Reading when she notes that “the number of critical vulnerabilities reported for Windows 10 increased 64% between 2016 and 2017,” and we can expect this trend to continue into 2019.
CISOs and Vulnerability Program Managers can no longer prioritize based solely or primarily on technical severity as the sheer number of critical vulnerabilities alone make it an inefficient and ineffective method to resolve vulnerabilities that require immediate action.
3) Open Source and Third-Party Software
We’ve seen a trend of large enterprises willing to adopt open source components, and open source applications may very well see larger numbers of severe vulnerabilities in 2019. The pace of application development has increased for software companies to stay relevant in the digital transformation age. This adoption of open source code has become commonplace today, as it’s more efficient to use a code someone else has already developed. According to Mike Pittenger, Black Duck security strategist at Synopsys, Inc., "In the average application, over a third of the code base is open source." As enterprises use applications with dozens of open source components, each with their own potential vulnerabilities, they become more vulnerable themselves.
4) Continuous Remediation
The trends seen above indicate that no one can realistically keep up with remediation and prioritization using a manual process. A vulnerability process that integrates automation and orchestration is a key differentiator for success. This allows for continuous remediation in high speed, while avoiding unintentional impacts to business operations.
5) Risk Mitigation Methods
As the number of vulnerabilities continues to rise, enterprises will look to mitigate risk by using smarter and more effective methodologies. Relying on a single reference point, such as severity levels, or using a manual process to manage vulnerabilities is no longer feasible. Organizations need to understand the true risk that vulnerabilities pose in their specific environment. In order to choose the correct remediation plan, the information that they rely on must be contextualized with their system. Moreover, enterprises must understand the business impact that a specific patch will have on their system.
Once enterprises have a clear picture of their risk, they can prioritize remediation according to technical severity, exploitability and business impact. To achieve the high speed, continuous analysis, and remediation needed today, organizations will need to utilize these methods for effective vulnerability management with minimal impact.
Preparing for 2019
Given these trends – the increased number of vulnerabilities along with increasing critical vulnerabilities, focused attacks on known vulnerabilities, the proliferation of open source libraries, and the need to utilize more effective methods of the vulnerability process, it’s important to implement the proper remediation methodologies in order to mitigate the dangers these trends present. Being able to prioritize based on multiple data points and understanding the true risk that vulnerabilities pose on the enterprise is key to being successful in protecting digital assets in 2019.