Cookie Settings

We value your privacy

We use cookies to enhance your browsing experience, serve personalized ads or content, and analyze our traffic. By clicking "Accept All", you consent to our use of cookies.

Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Other cookies are those that are being identified and have not been classified into any category as yet.

No cookies to display.

Software vulnerabilities hit a record high in 2014, report says

Back to Top
leadership team 2024

By Michelle Drolet

Founder & CEO

Michelle is a prominent leader in data security preparedness, renowned for her extensive expertise i

Read More

3 Minute 10 Second Read

July 28, 2015

Are you patching quickly enough?

How safe is the software you use? Do you have a system in place to identify vulnerabilities and patch them when they are discovered? How quickly do you react to vulnerability reports? There’s evidence that software vulnerabilities are on the rise, and few companies are taking the necessary action to combat them.

There was some worrying news in the recent Secunia Vulnerability Review 2015. The number of recorded vulnerabilities hit a record high of 15,435 last year, up 18% from 2013. The vulnerability count has increased 55% in the last five years. The report also found a rise in the number of zero-day vulnerabilities with 20 being uncovered in the 50 most popular programs. These are vulnerabilities that have already been exploited by hackers before being made public or being patched.
Even when vulnerabilities are public, many companies are taking an unacceptably long time to fix them. We’ve discussed the fact that known vulnerabilities pose the biggest IT security threat before. What is causing this complacency?

Misplaced trust in open source software?

It seems that many businesses are making dangerous assumptions about open source software. The Ninth Annual Future of Open Source Survey from Black Duck offers some fascinating insights. OSS is gaining in popularity quite dramatically, but there’s a lack of policy in place to manage it. An impressive 78% of respondents reported that their companies run part or all of their operations on OSS, but 55% have no formal policy in place to deal with OSS use.

There’s a belief that OSS delivers better security than proprietary software, as 55% of respondents cited security as a reason for adopting OSS. That may be true, but it doesn’t mean that OSS is free of vulnerabilities. We all remember Heartbleed, andOpenSSL just released a fix for another high-severity flaw. It takes time and resources just to stay up to date on the latest vulnerabilities and keep software fully patched.
According to the survey, more than 50% of respondents are not satisfied with their ability to understand known security vulnerabilities in open-source components. What’s worse – only 17% plan to monitor open source code for security vulnerabilities. That means the majority are content to rely on someone else to find vulnerabilities, and without oversight it’s hard to predict how many vulnerabilities are already being exploited.
The open-source model does offer lots of advantages, and OSS adoption will continue to rise in the next few years. But there’s a real danger that this belief in its superior security credentials is causing companies to bury their heads in the sand.

The importance of rapid patching

Jumping back to Secunia’s report, it’s alarming to find that many organizations simply aren’t taking the threat of software vulnerabilities seriously enough.

A number of vendors took weeks to patch Heartbleed. One unnamed vendor took 160 days. If it’s taking that long to patch highly publicized flaws, then you have to wonder how many vulnerabilities are flying under the radar.
It’s understandable that companies aren’t committing resources to actively search for flaws, though it’s certainly not advisable. But the failure to patch known vulnerabilities is negligent. These kinds of flaws represent the greatest risk of attack. Cybercriminals and hackers tend to follow the path of least resistance, and that’s often known vulnerabilities.
The threat of vulnerabilities is only going to grow as more and more software is rushed out to market. It’s time the enterprise addressed this threat and allotted the necessary resources to patching vulnerabilities at an absolute minimum. Ideally, companies should be monitoring code on an on-going basis to uncover more vulnerabilities. Failure to act could be exposing businesses to serious risk of data leakage, which is expensive and difficult to fix.

This article was recently published in Network World.
Imagery credit: cutcaster

Related Insights

View All Insights