The number of publicly-reported software security flaws jumped nearly 30 percent in the first quarter of 2017 compared to the same quarter the prior year, while more than 3.4 billion records were exposed indata breaches, according to a pair of reports released on May 23 by Risk Based Security.
The two reports summarized data on breaches and vulnerabilities for the first quarter of 2017. The number of breaches rose only modestly in the first quarter of the year, with the company documenting 1,254 incidents of data loss. While the average incident involved fewer than 10,000 records, the top-10 largest breaches accounted for 3.2 billion records, the vast majority of the data put at risk in the first quarter.
Meanwhile, the company documented 4,387 vulnerabilities, more than a third of which were trivial to exploit or already had known exploits. Oracle topped the charts of vendors of vulnerable software, with 369 security issues found in the first three months of 2017. Google and Microsoft trailed at second and third, with 302 and 204 software flaws, respectively.
“There is no such thing as software without vulnerabilities in it,” Inga Goddijn, executive vice president of Risk Based Security, told eWEEK. “Most software has weaknesses, and the question is whether they have been discovered and how do the companies respond and handle the vulnerabilities when they are notified.”
The trends in the two reports seem to track closely. While human error often plays a role in data breaches, vulnerabilities accounted for a significant number of compromises. In the first quarter 43 percent of breaches, for example, were caused by hacking. Of the vulnerabilities reported in the first quarter, more than a third are actively exploited or have enough information to make exploitation trivial.
“It is not just this report. We tend to see the correlations between the two reports,” she said. “It is not fair to say one is connected to the other, but it is something we are studying.” Goddijn stressed that companies need to focus on tightly managing their security, especially patching and vulnerabilities.
“Security is all about our processes and managing our processes day in and day out,” she said. “There are these major breaches and incidents like WannaCry and preventing those events boil down to managing our patches and following basic best practices.”
An increasing number of the vulnerabilities reported every year come from bug-bounty programs. About 7 percent of the reported vulnerabilities in the first quarter came from public and private bug-bounty programs. Over the past two years, about 5.7 percent of quarterly vulnerabilities were reported through bug bounty programs.
While most software vendor’s average vulnerability rates moderate to high severity (about a 7 on the 10-point CVSSv2 scale), the one standout in the Top-10 software makers was Adobe, whose 100 vulnerabilities averaged a critical rating (9 on the 10-point scale).