sb-nz logo
Story image

Vulnerability disclosures back to expected rates despite COVID disruption

Vulnerability disclosures have returned to expected rates despite the initial disruption from COVID-19, according to a new report. 

The report, from Risk Based Security, found the total number of vulnerabilities in 2020 is on track to exceed 2019.

Risk Based Security released its 2020 Year End Vulnerability QuickView Report revealing that 2020 vulnerability disclosures are on track to exceed 2019 despite a sharp decrease of 19.2% observed earlier in the year.

Risk Based Security’s VulnDB team aggregated 23,269 vulnerabilities disclosed during 2020. Despite the initial disruption from COVID-19, the trend of total number of vulnerabilities suggests that business operations and routines have normalised as the gap has closed to 0.98%.

“2020 could be titled ‘The Great Catch-up’. We saw an incredible drop of 19.2% in Q1, but with each subsequent quarter that massive gap steadily closed,” says Brian Martin, vice president of vulnerability intelligence at Risk Based Security.

“The question now is how COVID-19 will impact the 2021 vulnerability landscape," he says. 

"Have we fully shaken off the disruption from the pandemic, or will we still see some lingering side-effects?" Martin says.

The report goes into further detail on how vulnerability disclosures caught up throughout the year. 

"In the midst of the pandemic we experienced three Vulnerability Fujiwhara events, a term adopted for the collision of patch releases from Oracle, Microsoft, and other major vendors on the same day," says Martin. 

"These Vulnerability Fujiwhara result in challenging workloads for vulnerability management teams, and made timely patching and remediation a difficult task for many organisations."

Adding to the difficulty is the fact that CVE continues to fall behind in coverage. 

According to Risk Based Security, CVE failed to report 29% of known vulnerabilities in 2020. Organisations relying on CVE/NVD may struggle to justify that gap to auditors and management.

“In 2020, CVE failed to report 29% of known disclosed vulnerabilities and organisations looking for those details can find those missing vulnerabilities in VulnDB,” says Martin.

“Our VulnDB team hit a major milestone of 80,000 aggregated vulnerabilities without a CVE ID," he says.

"Now that it appears operations have mostly normalised, those who are wary or are struggling with current workloads may want to consider strengthening their vulnerability management programs with proper vulnerability intelligence.”

The 2020 Year End Vulnerability QuickView Report covers vulnerabilities disclosed between January 1, 2020 and December 31, 2020. Risk Based Security (RBS) provides detailed information and analysis on Vulnerability Intelligence, Data Breaches, and Vendor Risk Ratings.

Story image
Kaseya acquires RocketCyber to bring SOC solutions to more businesses
"With this acquisition, we've doubled down on our security investments to provide our customers with access to experts who can continuously monitoring their IT environments without the cost and complexity of disparate tools.”More
Story image
Three security essentials for financial services
Financial services organisations must provide the best possible customer experience in terms of mobile and online application availability, performance and security, writes Gigamon country manager for A/NZ George Tsoukas.More
Story image
Organisations investing significant time modifying web application firewalls to keep ahead of cybersecurity threats
"The sheer amount of traffic and potential threats can ensnare resources and impact the ability to introduce greater precision to those key systems."More
Story image
Microsoft adds new ways to bring AI to the edge with Azure Percept
"The goal of the Azure Percept platform is to simplify the process of developing, training and deploying edge AI solutions."More
Story image
2021's Most Wanted: Emotet continues reign as top malware threat 
The Emotet trojan continues to reign as top malware in January, despite international law enforcement taking control of its infrastructure.More
Story image
Essential tools for managing user identity and how they impact your bottom line
Customer identity and access management (CIAM) is how companies give their end-users access to their digital properties, as well as how they govern, collect, analyse, and securely store data for those users.More