Edgescan, a Vulnerability Management Security as a Service (SaaS) solution provider, has released its fifth Vulnerability Stats Report looking at the state of full stack security in 2019, based on tens of thousands global assessments.
The report has revealed that, in 2019, it took organisations an average of 50.55 days (nearly eight weeks) to remediate critical risk vulnerabilities for public internet-facing web applications and 49.26 days for internet facing network layer critical risk vulnerabilities.
The report also found that high or critical risk vulnerabilities in external facing web applications had significantly increased from 19.2 per cent in 2018 to 34.78 per cent in 2019. High or critical risk vulnerabilities discovered in externally facing network layer systems had also more than doubled in 2019, going up to 4.79 per cent from just 2 per cent the previous year.
“Last year saw more than 8 billion records breached, with some of the biggest breaches being experienced by Capital One, Quest Diagnostics, Houzz and Zynga. Many of these breaches were caused by web application layer vulnerabilities that could have been preventable with if appropriate secure development and visibility practices were adhered to,” comments Eoin Keary, CEO of Edgescan.
“Although the time to remediate critical risk vulnerabilities for public internet facing web applications has reduced by just over 18 days since 2018, we are still seeing high rates of known and patchable vulnerabilities which have working exploits in the wild.
“This could be due to the fact it is hard to patch production systems. Web application security is where the majority of risk still resides, and this is an area that organisations, no matter what size, should be taking notice of.”
Further key findings from the report include:
• A 20-year-old vulnerability was discovered still ‘in the wild’ in over 3500 systems across Europe and North America. Originally discovered in 1999, the CVE-1999-0517 vulnerability has CVSS high severity risk score of 7.5 (out of 10) and the potential to cause a serious data breach.
• The most common CVE vulnerability in 2019 was first discovered in 2016, over four years ago. The CVE-2016-2183, has a high severity risk score of 7.5 (out of 10) and makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long duration encrypted session.
• On average, 67.8 per cent of assets had at least one CVE with a CVSS (v3.x) value of 4.0 or more, making the non-compliant with PCI regulations.
Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.
Reserve your place today and gain access to the entire event free of charge. With all sessions available to view live or on-demand, you can build a personalised agenda based on your key focus topics and make the event fit around your work schedule.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.