Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

12/16/2020
04:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

US-CERT Reports 17,447 Vulnerabilities Recorded in 2020

This marks the fourth year in a row that a record number of vulnerabilities has been discovered, following 17,306 in 2019.

The US-CERT Vulnerability Database has confirmed 17,447 vulnerabilities were recorded in 2020, marking the fourth consecutive year with a record number of security flaws published.

Related Content:

Corporate Credentials for Sale on the Dark Web: How to Protect Employees and Data

Building an Effective Cybersecurity Incident Response Team

New From The Edge: Why Secure Email Gateways Rewrite Links (and Why They Shouldn't)

On Dec. 15, 2020, officials reported 4,168 high-severity vulnerabilities, 10,710 medium-severity vulnerabilities, and 2,569 low-severity vulnerabilities this year. In 2019, there were 17,306 flaws published: 4,337 high-severity, 10,956 medium-severity, and 2,013 low-severity vulnerabilities.

The continuous increase raises a question: Are developers pushing more unsecured code, or are white-hat hackers getting better at finding vulnerabilities? Given the current climate and the growing popularity of bug bounty programs, experts suggest both factors could be at play.

This year saw massive growth in crowdsourced security. In its recent "Priority One" report, security firm Bugcrowd reports a 50% increase in vulnerability submissions in the last 12 months compared with the year prior. These bug reports reflect a 65% increase in P1 submissions (the most critical vulnerabilities) and a 4% increase in the validity of submissions.

"Hackers are finding bugs with greater impact, and communicating them to affected organizations with greater accuracy," founder and CTO Casey Ellis wrote in a blog post.

Web applications make up the majority of vulnerabilities reported, but Bugcrowd data shows other categories are catching up as hackers diversify their skill sets to remain competitive in the ever-growing space. Submissions for all targets increased in 2020; notably, API vulnerabilities doubled and bugs discovered in Android targets more than tripled this year, researchers report.

The COVID-19 pandemic forced security practitioners into response mode, and the industry was at first preoccupied with keeping the lights on, changing work practices, and reprioritizing projects. However, as the industry grew accustomed to remote work and spent more time at home, Bugcrowd saw an increase in activity: Critical bug (P1) payouts jumped 31% between the first and second quarters of this year; P2 payouts increased 31% between quarters two and three.

HackerOne confirmed similar findings in its latest "Hacker Powered Security Report" earlier this year. More than a third of the 180,000 bugs found via HackerOne were reported in the past year. New hacker signups on the platform increased 59%, and submitted bug reports grew by 28%, in the months immediately following the start of the pandemic, researchers report. The businesses participating in crowdsourced security paid 29% more bounties in the same period.

This year has forced many businesses to rethink their vulnerability disclosure programs (VDPs), which have traditionally focused more on customer-facing assets and attack surfaces. Now they want more information on weaknesses in third-party systems or applications employees use on a regular basis. Many VDPs have grown to include back-end business support systems as well.

"It was nowhere near the norm, and that's quickly become the norm over the past few months," says HackerOne co-founder and CTO Alex Rice. "Organizations recognize that their attack surface is evolving. … What they thought was their perimeter before isn't quite the perimeter."

The increased participation in crowdsourced security has certainly driven the number of bugs reported this year; however, it's worth noting the pandemic's effect on software development. Many organizations have had to rush applications through production, cutting down on quality assurance cycles and relying more heavily on third-party, legacy, and open source code, says Pravin Madhani, co-founder and CEO at K2 Cyber Security.

"Despite the emergence of DevSecOps and shift-left approaches, the number of vulnerabilities in released code continues to rise," he says. "Companies still struggle to find the balance between getting applications to market quickly and securing their code."

If the timing of vulnerability disclosures proved a challenge to your security team, you're not alone. Three times in 2020, Microsoft and Oracle rolled out security fixes on the same day. More patches are released on Patch Tuesday than any other day of the month, and this year has been a big one for Microsoft alone: In eight months of 2020, the company released more than 110 patches for its products and services; in June and September, the count was 129 fixes.

"The first thing I think of is just volume," says Dustin Childs of Trend Micro's Zero Day Initiative (ZDI) about Patch Tuesday trends. "There's so many patches from Microsoft; it's just a record year for them. We're probably going to disclose a record amount of advisories in the ZDI."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
lancop
50%
50%
lancop,
User Rank: Moderator
12/17/2020 | 12:58:37 PM
RE: record number of CVE Vulnerabilities in 2020
Interesting article, but I guess we shouldn't be surprised by the sheer number of CVE's in 2020.

Programmers are still not well trained in secure coding as the industry is more interested in quantity of code than security of code.

But the other problem is the actual elephant in the room: any computer or computer network that has internet access will forever be vulnerable and intrinsically insecure. Every networked device with an internet connection is either one or two user clicks away from compromise or just one determined Red Team's best efforts away from a successful breach. And we learn this lesson over & over again because we've become utterly dependent on an inherently insecure internet infrastructure.

This has become increasingly alarming because our personal information, intellectlual property, defense department data, financial information, and even the electronic door locks on our homes & businesses are all subject to remote attack and successful compromise. All the while, new internet connected products are released almost every day, and sales & marketing people run around selling "the cloud...the cloud". A cloud being a huge blindspot where almost anything could be happening that you won't see coming until the split second when it hits you.

So, we can make an educated guess and say with almost complete certainty that 2021 will report a new record number of CVE's. The beat goes on...


NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26252
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...
CVE-2020-26278
PUBLISHED: 2021-01-20
Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net before version 2.8.0 has a vulnerability in which can allow an attacker to take over any host in the cluster. Weave Net is suppli...
CVE-2021-1235
PUBLISHED: 2021-01-20
A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to read sensitive database files on an affected system. The vulnerability is due to insufficient user authorization. An attacker could exploit this vulnerability by accessing the vshell of an af...
CVE-2021-1241
PUBLISHED: 2021-01-20
Multiple vulnerabilities in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute denial of service (DoS) attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
CVE-2021-1247
PUBLISHED: 2021-01-20
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.