Security Teams Overwhelmed With Bugs, Bitten by Patch Prioritization
The number of vulnerabilities disclosed in the first half of the year topped 11,800, forcing companies to determine the impact of an average of 90 security issues per weekday.
The numbers are from cybersecurity firm Flashpoint’s “The State of Vulnerability Intelligence — 2022 Midyear Edition” report, which notes that the massive number of vulnerabilities reported in the first half of the year highlights the problems facing companies as they try to triage software security issues and determine which software updates to prioritize.
Without better guidance, organizations attempting to sort through the security issues struggle to separate those that are highly critical from minor vulnerabilities and those that may not affect their environment at all, says Brian Martin, vice president of vulnerability intelligence at Flashpoint.
“There are some issues that will have no bearing on any real organization in the world — it might be a vulnerability in some Chinese blog that has seven installs worldwide,” Martin says. “On the other hand, we do have vulnerabilities in Microsoft products, Google products, Apple products. Stuff that is just as high-profile and concerning as any issue from a Patch Tuesday.”
Clouding the issue is the focus put on zero-day vulnerabilities, those labeled as “discovered in the wild” by researchers before a patch is available. These are difficult to collect information on. Google’s Project Zero documented 20 such vulnerabilities exploited in the wild in the first half of 2022, while Flashpoint found at least 17 more issues.
Yet the most common attacks usually use known vulnerabilities.
“Discovered-in-the-wild vulnerabilities are often used in high-profile breaches or are attributed to Advanced Persistent Threat (APT) attacks,” the report states. “Due to their nature, organizations often lack defensive options for them. However, business leaders need to keep in mind that discovered-in-the-wild vulnerabilities represent a tiny fraction of compromises occurring around the world.”
Organizations also had to deal with a growing number of days with hundreds of reported vulnerabilities because…