Today the US-CERT Vulnerability Database recorded 17,447 vulnerabilities, which is a new high and makes 2020 the fourth year in a row that a record number of vulnerabilities has been published. There were 17,306 vulnerabilities recorded in 2019.
The US-CERT Vulnerability Database keeps track of new vulnerabilities in production code as they are discovered and assigns each unique vulnerability with a “CVE” number. For the last three years, 2017 through 2019, there has been a record number of vulnerabilities recorded in the vulnerability database. On December 15, 2020, we just hit another milestone with the number of vulnerabilities recorded (so far in 2020) exceeding the total count in 2019, marking a fourth record year of vulnerabilities discovered in production code.
Why is this happening? Despite the emergence of DevSecOps and shift left approaches, the number of vulnerabilities in released code continues to rise. Companies still struggle to find the balance between getting applications to market quickly and securing their code. The COVID-19 pandemic is a major factor this year. It\’s pushed many organizations to rush getting their applications to production; they run less QA cycles, and use more 3rd party, legacy, and open-source code, which is a key risk factor for increased vulnerabilities.
There are a number of measures an organization can take to improve its web application security stance. To start, make sure developers take security into consideration when developing and coding applications. Second, make sure that software and operating systems are kept up to date, with the latest updates and patches to ensure known vulnerabilities that have patches are not exploited.
Finally, it’s important to have a security framework that offers a defense-in-depth architecture. It’s time to take a hint from the recent finalization of the National Institute of Standards and Technology (NIST)’s SP800-53 that was just released on September 23, 2020. The new security and privacy framework standard now requires Runtime Application Self-Protection (RASP) as an added layer of security in the framework.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics