In 2024, vulnerability disclosures hit an all-time high, with over 30,000 vulnerabilities recorded in the National Vulnerability Database (NVD). Unfortunately, we can expect these numbers to continue rising as the use of open source, GenAI, and software overall is ever-growing. As cyber threats grow more sophisticated, organizations are under immense pressure to identify and address vulnerabilities faster. However, while disclosures are rising, the gap between discovery and remediation that cannot possibly catch up exposes businesses to heightened risk. Understanding the factors driving this increase and adopting proactive strategies are essential for security teams to stay ahead of evolving threats.
Why Vulnerability Disclosures Are Increasing
Understanding why vulnerability disclosures are increasing is critical to addressing the challenge. Several factors are contributing to this surge:
- Widespread Use of Open Source Software: Since open-source software code is publicly accessible, it can be reviewed and scrutinized by a wide community of developers and security researchers. This visibility leads to more frequent discoveries of flaws than proprietary software, where access is more restricted.
- Greater Awareness and Reporting: Organizations are becoming more proactive in identifying and disclosing flaws, while researchers are uncovering more issues as security becomes a higher priority.
- Growing Complexity of Systems: Modern applications often involve multiple layers of dependencies and components, making it harder to identify and mitigate flaws before they are exploited.
- Overall Growth in Software Use: As Marc Andreessen predicted a decade ago, software is “eating the world.” The more lines of code produced, the higher the potential for vulnerabilities.
- Regulatory Requirements: New regulations and security standards require more transparency and accountability regarding vulnerabilities. Companies are now expected to disclose security issues more promptly, contributing to the growing volume of disclosures.
However, despite these positive developments, challenges remain. The NVD has experienced delays in publishing Common Vulnerabilities and Exposures (CVE) entries. These delays create a dangerous window where organizations are exposed to potential attacks, as their security tools rely on timely CVE information to detect vulnerabilities.
The Disclosure Gap and Its Risks
Beyond the delays in CVE analysis, there are other issues with the vulnerability disclosure process. Research from Aqua Nautilus, which analyzed GitHub activity and NVD entries, found a troubling pattern — vulnerabilities in open-source projects are often not disclosed immediately. This creates a risky exposure window, allowing attackers to exploit flaws before they are patched.
Aqua Nautilus introduced the concept of “Half-Day” and “0.75-Day” vulnerabilities, which fall between the better-known “0-day” and “1-day” vulnerabilities. A “Half-Day” vulnerability is known to maintainers but has not been officially released, while a “0.75-Day” vulnerability has a patch but lacks a CVE, meaning scanning tools can’t detect it.
These findings highlight the need for faster and more responsible vulnerability disclosure within the security community. Closing the gap between discovering vulnerabilities and releasing patches is critical to reducing an attacker’s window of opportunity.
How Attackers Are Adapting
As organizations work to improve their vulnerability management, attackers are shifting their tactics. In 2022, the Log4Shell vulnerability was the main target for attackers. But by the end of 2023, attention had turned to vulnerabilities in Grafana (CVE-2021-43798), an open-source tool widely used in cloud-native environments. The Grafana flaw, which allows attackers to access sensitive files, has become a significant target for exploitation.
Attackers are also exploiting newly disclosed vulnerabilities faster than ever before, with certain vulnerabilities being weaponized within weeks of disclosure. For example, recent vulnerabilities in Openfire and RocketMQ were exploited within one to two weeks of publication. This rapid exploitation underscores the urgency for organizations to stay ahead of evolving threats.
Practical Steps for Mitigating Vulnerabilities
Security teams need to adopt proactive measures to address the rising number of vulnerabilities and the evolving tactics of attackers. Here are several steps that organizations can take to mitigate these risks:
- Adopt a Defense-in-Depth Strategy: Implement a layered security approach that provides comprehensive protection across your environment. This includes robust runtime security measures, such as behavioral detection and Cloud Detection and Response (CDR), which can help defend against known and unknown vulnerabilities.
- Detect and Fix Vulnerabilities Early in the Life Cycle: Use automated scanning tools to detect vulnerabilities as early as possible in your software development life cycle. Cloud-native security scanners that integrate into the CI/CD pipeline can uncover risks in container images before they reach production, significantly reducing the attack surface.
- Prioritize Risk-Based Remediation: Not all vulnerabilities are equally dangerous. Use a risk-based approach to prioritize and address the most critical vulnerabilities. Consider factors such as the reachability of vulnerable packages and images, available exploits, network exposure, and the likelihood of a vulnerability being exploited in the wild.
- Set Assurance Policies and Guardrails for Production: Establish policies that define acceptable risk levels for container images to prevent vulnerabilities from reaching production. These policies can help prevent unpatched or vulnerable images from being deployed in production environments.
- Mitigate Vulnerabilities at Runtime: If a vulnerability can’t be immediately patched, use compensating controls to limit the risk of exploitation. For example, virtual patches can provide temporary protection while a permanent fix is developed, as well as more traditional methods, such as micro-segmentation, to limit the damage that can be incurred if breached.
Preparing for the Future of Vulnerability Management
As vulnerability disclosures continue to rise and attackers become more adept at exploiting newly identified flaws, organizations must proactively secure their environments. Security teams can stay ahead of the ever-evolving threat landscape by adopting a defense-in-depth strategy, shifting left with automated scanning, and using risk-based prioritization. We cannot simply expect to catch up to vulnerability remediation using the methods used heretofore. Additionally, timely disclosure and efficient patch management will be critical in closing the exposure window and protecting systems from the next major vulnerability.
Rani Onsat is the SVP of strategy at Aqua Security. He has worked in enterprise software companies for more than 30 years, spanning project management, product management, and marketing, including a decade as VP of marketing for innovative startups in the cybersecurity and cloud arenas. Previously, Rani was also a management consultant in the London office of Booz & Co. He holds an MBA from INSEAD in Fontainebleau, France. Rani is an avid wine geek, and a slightly less avid painter and electronic music composer.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.