Nadradený pojem:
Podradené pojmy:
Susedné pojmy:
Vulnerabilities decrease in 2016
Description
In the second half of 2016, vendor-disclosed vulnerabilities dropped significantly from 2015, according to our research (Figure 37). The National Vulnerability Database shows a similar decline. The reasons for the drop in disclosed vulnerability advisories are not entirely clear.
It should be noted that 2015 was an unusually active year for vulnerabilities, so the 2016 numbers may reflect a normal pace of vulnerability advisories. From January to October 2015, total alerts reached 7602. During the same time period in 2016, total alerts reached 6380; during this period in 2014, total alerts were 6272.
The high number of vulnerability reports in 2015 may indicate that vendors were looking more closely at existing products and code, more carefully implementing secure development lifecycle (SDL) practices, and identifying vulnerabilities and subsequently fixing them. The decline in reported vulnerabilities may indicate that these efforts are paying off. That is, vendors are now focusing on identifying vulnerabilities and correcting them before products reach the market.
In 2016, Apple was the vendor showing the most dramatic decline in vulnerabilities: The company reported 705 vulnerabilities in 2015, and 324 vulnerabilities in 2016 (a 54 percent decline). Similarly, Cisco reported 488 vulnerabilities in 2015, and 310 in 2016 (a 36 percent decline).
A concern among security researchers is that “vulnerability fatigue” may be setting in among security professionals. In recent months, there has not been a major vulnerability announcement that sent shock waves through the industry, as Heartbleed did in 2014. In fact, the hype around “named” vulnerabilities such as Heartbleed and the increase in 2015 likely contributed to the level of fatigue— or, at least, to less interest in reporting vulnerabilities.
In the Cisco 2017 Security Capabilities Benchmark Study (page 49), security professionals indicated a slight decrease in their agreement about security operationalization. This decrease may be connected to “fatigue” about the need to continually implement upgrades and patches. For example, in 2016, 53 percent of security professionals said they strongly agreed that they review and improve security practices regularly, formally, and strategically; in 2014 and 2015, 56 percent strongly agreed.
Of course, a decline in vulnerabilities should not lead to overconfidence about the threat landscape: No one should adopt the mindset that attention to threats can lapse, even in the absence of high-profile vulnerabilities.
As we’ve advised in past reports, security professionals should make a concerted effort to prioritize patches. If a lack of staffing and other resources prevents the timely installation of all available patches, evaluate which ones are most critical to network safety, and place those at the top of the to-do list.
It should be noted that 2015 was an unusually active year for vulnerabilities, so the 2016 numbers may reflect a normal pace of vulnerability advisories. From January to October 2015, total alerts reached 7602. During the same time period in 2016, total alerts reached 6380; during this period in 2014, total alerts were 6272.
The high number of vulnerability reports in 2015 may indicate that vendors were looking more closely at existing products and code, more carefully implementing secure development lifecycle (SDL) practices, and identifying vulnerabilities and subsequently fixing them. The decline in reported vulnerabilities may indicate that these efforts are paying off. That is, vendors are now focusing on identifying vulnerabilities and correcting them before products reach the market.
In 2016, Apple was the vendor showing the most dramatic decline in vulnerabilities: The company reported 705 vulnerabilities in 2015, and 324 vulnerabilities in 2016 (a 54 percent decline). Similarly, Cisco reported 488 vulnerabilities in 2015, and 310 in 2016 (a 36 percent decline).
A concern among security researchers is that “vulnerability fatigue” may be setting in among security professionals. In recent months, there has not been a major vulnerability announcement that sent shock waves through the industry, as Heartbleed did in 2014. In fact, the hype around “named” vulnerabilities such as Heartbleed and the increase in 2015 likely contributed to the level of fatigue— or, at least, to less interest in reporting vulnerabilities.
In the Cisco 2017 Security Capabilities Benchmark Study (page 49), security professionals indicated a slight decrease in their agreement about security operationalization. This decrease may be connected to “fatigue” about the need to continually implement upgrades and patches. For example, in 2016, 53 percent of security professionals said they strongly agreed that they review and improve security practices regularly, formally, and strategically; in 2014 and 2015, 56 percent strongly agreed.
Of course, a decline in vulnerabilities should not lead to overconfidence about the threat landscape: No one should adopt the mindset that attention to threats can lapse, even in the absence of high-profile vulnerabilities.
As we’ve advised in past reports, security professionals should make a concerted effort to prioritize patches. If a lack of staffing and other resources prevents the timely installation of all available patches, evaluate which ones are most critical to network safety, and place those at the top of the to-do list.
Importance
High