Software vulnerabilities hit a record high in 2014, report says

How safe is the software you use? Do you have a system in place to identify vulnerabilities and patch them when they are discovered? How quickly do you react to vulnerability reports? There’s evidence that software vulnerabilities are on the rise, and few companies are taking the necessary action to combat them.

There was some worrying news in the recent Secunia Vulnerability Review 2015. The number of recorded vulnerabilities hit a record high of 15,435 last year, up 18% from 2013. The vulnerability count has increased 55% in the last five years. The report also found a rise in the number of zero-day vulnerabilities with 20 being uncovered in the 50 most popular programs. These are vulnerabilities that have already been exploited by hackers before being made public or being patched.

Even when vulnerabilities are public, many companies are taking an unacceptably long time to fix them. We’ve discussed the fact that known vulnerabilities pose the biggest IT security threat before. What is causing this complacency?

Misplaced trust in open source software?

It seems that many businesses are making dangerous assumptions about open source software. The Ninth Annual Future of Open Source Survey from Black Duck offers some fascinating insights. OSS is gaining in popularity quite dramatically, but there’s a lack of policy in place to manage it. An impressive 78% of respondents reported that their companies run part or all of their operations on OSS, but 55% have no formal policy in place to deal with OSS use.

There’s a belief that OSS delivers better security than proprietary software, as 55% of respondents cited security as a reason for adopting OSS. That may be true, but it doesn’t mean that OSS is free of vulnerabilities. We all remember Heartbleed, and OpenSSL just released a fix for another high-severity flaw. It takes time and resources just to stay up to date on the latest vulnerabilities and keep software fully patched.

According to the survey, more than 50% of respondents are not satisfied with their ability to understand known security vulnerabilities in open-source components. What’s worse – only 17% plan to monitor open source code for security vulnerabilities. That means the majority are content to rely on someone else to find vulnerabilities, and without oversight it’s hard to predict how many vulnerabilities are already being exploited.

The open-source model does offer lots of advantages, and OSS adoption will continue to rise in the next few years. But there’s a real danger that this belief in its superior security credentials is causing companies to bury their heads in the sand.

The importance of rapid patching

Jumping back to Secunia’s report, it’s alarming to find that many organizations simply aren’t taking the threat of software vulnerabilities seriously enough.

A number of vendors took weeks to patch Heartbleed. One unnamed vendor took 160 days. If it’s taking that long to patch highly publicized flaws, then you have to wonder how many vulnerabilities are flying under the radar.

It’s understandable that companies aren’t committing resources to actively search for flaws, though it’s certainly not advisable. But the failure to patch known vulnerabilities is negligent. These kinds of flaws represent the greatest risk of attack. Cybercriminals and hackers tend to follow the path of least resistance, and that’s often known vulnerabilities.

The threat of vulnerabilities is only going to grow as more and more software is rushed out to market. It’s time the enterprise addressed this threat and allotted the necessary resources to patching vulnerabilities at an absolute minimum. Ideally, companies should be monitoring code on an on-going basis to uncover more vulnerabilities. Failure to act could be exposing businesses to serious risk of data leakage, which is expensive and difficult to fix.

The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies.