For the fifth year in a row, a new record of security vulnerabilities has been recorded in the US-CERT Vulnerability Database. As of today, December 8, 2021, 18,376 vulnerabilities in production code were recorded, exceeding the 2020 record of 18,351.
Interestingly, this year, there are less high severity vulnerabilities than last year.
<p>While we can’t say for certain why there are more medium and low severity vulnerabilities, and less high severity vulnerabilities, it’s likely the lower numbers of high severity vulnerabilities is due to better coding practices by developers. Many organizations have adopted “shift left” in recent years, seeking to put more of an emphasis on ensuring security is a higher priority earlier on in the development process.</p>
<p>As to why more vulnerabilities are found in production code this year, the ongoing COVID-19 pandemic has continued to push many organizations to rush getting their applications to production, as part of their digital transformation and cloud journeys, meaning the code may have been through less QA cycles, and there may have been more use of 3rd party, legacy, and open source code, another risk factor for more vulnerabilities. </p>
<p>So while companies may be coding better, they’re not testing as much, or as thoroughly, hence more vulnerabilities made it to production.</p>