A record number of software vulnerabilities was reported in 2021
Mean-time-to-Patch, meanwhile? 205 days...
A record-breaking 19,733 software vulnerabilities have been reported in 2021, putting the year on track to break the 20,000 mark for the first time, according to a December 7 count by The Stack.
In 2016 just 5,579 bugs were allocated CVEs (an open standard that provides identifiers for cybersecurity vulnerabilities). By 2019 the figure had hit 13,988. In 2020, it was 19,249, our count shows.
In August 2021 alone a record 2249 vulnerabilities were registered on NIST’s NVD database – the US government repository of standards based vulnerability management data – the equivalent to three security bugs an hour getting reported; a worrying figure as speed of exploitation continues to grow.
(Previous analysis of the industry standard NIST database by The Stack’s editor in late 2019 showed that Oracle and Microsoft were the companies with the highest numbers of reported vulnerabilities across all historical NIST data. As “products”, Linux and Android were had the most reported CVEs against them.)
See also: US Agencies given two weeks to patch 100+ exploited vulns — but who’s forcing compliance?
The data comes as the NSA, CISA and FBI in July 19, 2021 warned in a joint advisory that China’s advanced persistent threat (APT) groups “consistently scan target networks for critical and high vulnerabilities within days of the vulnerability’s public disclosure” citing previously seen activity targeting critical vulnerabilities in major applications, “such as Pulse Secure, Apache, F5 Big-IP, and Microsoft products.”
That’s a whole lot faster than most will patch: a report by WhiteHat Security published this summer found that the average time taken to fix critical cybersecurity vulnerabilities had hit 205 days.
And as security firm Rezillion notes, patching ain't easy: "Ask anyone who’s responsible for managing vulnerabilities what keeps them up at night and while some will say they’re constantly worried about the next zero day, the majority will tell you the exact opposite. The vulnerabilities they already know about are troubling enough. Moreover, these vulnerabilities are likely staring them in the face from one or many dashboards and are one of the few concrete metrics that can be reported up to the C-Suite and the board. This inevitably leads to two questions – “Why isn’t this patched yet?” and “Is the environment secure with all of these unpatched vulnerabilities?”
"A patch may not even exist at the time the vulnerability is discovered. There may also be technical or organizational hurdles standing in the way of patching. It can be difficult to establish and enforce a patching window for critical systems, especially if they’re legacy infrastructure. Dependencies also kill patches, if the patch will bring a critical system to a halt then the cure is likely worse than the disease. There’s also the simple fact that most security teams have far more vulnerabilities to patch than time and resources to patch them."
There's no shortage of centralised patch management tools out there. Unfortunately, these make for a juicy target and two -- SolarWinds and Kaseya -- were hit in supply chain attacks this year.