Edgescan’s 2020 Vulnerability Stats Report also reveals the time to patch vulnerabilities for an internet-facing system is now 71 days
Dublin, IRELAND – 18th February 2020 – Edgescan, the ‘fullstack’ Vulnerability Management Security as a Service (SaaS) solution provider, today releases its fifth Vulnerability Stats Report looking at the state of fullstack security in 2019, based on tens of thousands global assessments. The report has revealed that, in 2019, it took organisations an average of 50.55 days (nearly eight weeks) to remediate critical risk vulnerabilities for public internet-facing web applications and 49.26 days for internet-facing network layer critical risk vulnerabilities.
The report also found that high or critical risk vulnerabilities in external facing web applications had significantly increased from 19.2 per cent in 2018 to 34.78 per cent in 2019. High or critical risk vulnerabilities discovered in externally facing network layer systems had also more than doubled in 2019, going up to 4.79 per cent from just 2 per cent the previous year.
“2019 saw more than 8 billion records breached, with some of the biggest breaches being experienced by Capital One, Quest Diagnostics, Houzz and Zynga. Many of these breaches were caused by web application layer vulnerabilities that could have been preventable with if appropriate secure development and visibility practices were adhered to,” comments Eoin Keary, CEO of Edgescan. “Although the time-to-remediate critical risk vulnerabilities for public internet facing web applications has reduced by just over 18 days since 2018, we are still seeing high rates of known and patchable vulnerabilities which have working exploits in the wild. This could be due to the fact it is hard to patch production systems. Web application security is where the majority of risk still resides, and this is an area that organisations, no matter what size, should be taking notice of.”
Further key findings from the report:
- A 20-year-old vulnerability was discovered still ‘in the wild’ in over 3500 systems across Europe and North America. Originally discovered in 1999, the CVE-1999-0517 vulnerability has CVSS high severity risk score of 7.5 (out of 10) and the potential to cause a serious data breach.
- The most common CVE vulnerability in 2019 was first discovered in 2016, over four years ago. The CVE-2016-2183, has a high severity risk score of 7.5 (out of 10) and makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session.
- On average, 67.8 per cent of assets had at least one CVE with a CVSS (v3.x) value of 4.0 or more, making the non-compliant with PCI regulations.