Edgescan, a Vulnerability Management Security as a Service (SaaS) solution provider, has released its fifth Vulnerability Stats Report looking at the state of full stack security in 2019, based on tens of thousands global assessments.
The report has revealed that, in 2019, it took organisations an average of 50.55 days (nearly eight weeks) to remediate critical risk vulnerabilities for public internet-facing web applications and 49.26 days for internet facing network layer critical risk vulnerabilities.
The report also found that high or critical risk vulnerabilities in external facing web applications had significantly increased from 19.2 per cent in 2018 to 34.78 per cent in 2019. High or critical risk vulnerabilities discovered in externally facing network layer systems had also more than doubled in 2019, going up to 4.79 per cent from just 2 per cent the previous year.
“Last year saw more than 8 billion records breached, with some of the biggest breaches being experienced by Capital One, Quest Diagnostics, Houzz and Zynga. Many of these breaches were caused by web application layer vulnerabilities that could have been preventable with if appropriate secure development and visibility practices were adhered to,” comments Eoin Keary, CEO of Edgescan.
“Although the time to remediate critical risk vulnerabilities for public internet facing web applications has reduced by just over 18 days since 2018, we are still seeing high rates of known and patchable vulnerabilities which have working exploits in the wild.
“This could be due to the fact it is hard to patch production systems. Web application security is where the majority of risk still resides, and this is an area that organisations, no matter what size, should be taking notice of.”
Further key findings from the report include:
• A 20-year-old vulnerability was discovered still ‘in the wild’ in over 3500 systems across Europe and North America. Originally discovered in 1999, the CVE-1999-0517 vulnerability has CVSS high severity risk score of 7.5 (out of 10) and the potential to cause a serious data breach.
• The most common CVE vulnerability in 2019 was first discovered in 2016, over four years ago. The CVE-2016-2183, has a high severity risk score of 7.5 (out of 10) and makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long duration encrypted session.
• On average, 67.8 per cent of assets had at least one CVE with a CVSS (v3.x) value of 4.0 or more, making the non-compliant with PCI regulations.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.