NopSec’s 2018 State of Vulnerability Risk Management Report

Our NopSec Labs Team have been busy these past few months meticulously gathering and analyzing public and anonymized client vulnerability data to present this year’s State of Vulnerability Risk Management Report.

This report offers an analysis into current trends in vulnerability risk management. It examines the attributes of security vulnerabilities viewed through a variety of lenses:

  • Attributes of vulnerabilities published since 2002 versus those only recently published
  • Attributes of all vulnerabilities published in the National Vulnerability Database (NVD) in contrast with only those uploaded into our platform by our clients
  • Vulnerabilities broken down by industry vertical, CVSS score, product vendor and active exploitation in the wild

In building this report, Nopsec examined anonymized data collected from clients using Unified VRM, the company’s flagship vulnerability risk management (VRM) product. To get a broader picture of the landscape, the report looks at data from a variety of sources, including commercial threat intelligence, vulnerability management platforms and even social media.

The report highlights several ongoing trends that are worthy of note, particularly to those working in remediation. In particular, it shows that prioritizing vulnerabilities solely by CVSS score severity isn’t always appropriate.

The evidence shows that a surprisingly high portion of of vulnerabilities incorporated into malware or exploit kits are ranked low or medium severity. Counter to commonly-accepted practices, focusing only on high-severity vulnerabilities and setting a ‘cut-off’ point for lower scored issues, is not a safe or effective strategy.

In addressing the unreliability of CVSS scoring, the report explores the application of machine learning, natural language processing and other techniques in search of better indicators of risk. By analyzing previous trends in vulnerabilities, this novel approach is able to better predict the threat posed by a freshly-discovered vulnerability.

Key findings:

  1. We found that approximately 21% of CVEs published have associated exploit code in the Exploit Database alone. However, only 1.6% have associated Metasploit modules. Less than 2% (1.92%) have been linked to malware. Roughly 95% of vulnerabilities ranked as high have never been linked to malware seen in the wild.
  2. 44% of CVEs associated with malware were scored as medium or low on the CVSS scale, suggesting that focusing solely on CVEs with high scores (7+) would be a mistake.
  3. NopSec has found that the language used in CVE descriptions lends clues to the fate of vulnerabilities. For example, approximately half of all descriptions of vulnerabilities linked to malware include words “allows remote”.
  4. Vendors most likely to be associated with malware vary significantly, depending on whether all CVE data is taken into consideration, or just the last 18 months’ worth. For example, OpenSSL is most commonly associated with malware when considering all CVEs, whereas Canonical (Ubuntu) takes the top spot when considering only recently published CVEs.
  5. Only half of the Top 20 vulnerabilities derived from NopSec client data can be fixed with a patch. The remainder represent configuration issues to be fixed or insecure cryptographic algorithms or protocols to be disabled.
  6. Microsoft is the biggest source of vulnerabilities for Financial Services organizations. Healthcare, however, has more to worry about from BSD and Linux. Everyone has a significant number of Oracle vulnerabilities.

This is just an overview, and we invite you to explore the report in more detail by downloading a copy.

2018 State of Vulnerability Risk Management Report