The number of reported vulnerabilities in 2018 is seven percent down on the same period last year, according to a new report from Risk Based Security.
It’s not all good news though, as 24.9 percent of 2018’s reported vulnerabilities currently have no known solution which is a reminder that, while patching is very important, it can’t be relied on exclusively as a remedy.
Vulnerabilities with a CVSSv2 score of 9.0+, often referred to as ‘critical’, accounted for 15.4 percent of all published vulnerabilities through the third quarter. Also, Risk Based Security’s own VulnDB published 4,823 more vulnerabilities than CVE/NVD through the end of Q3 2018.
Of all the vulnerabilities disclosed through Q3 2018, 67.3 percent are due to insufficient or improper input validation. Though many vulnerabilities fall under this umbrella, it’s clear that vendors are still struggling to carefully validate input from users. Having a mature software development lifecycle and some form of auditing can help iron out many of these issues and significantly reduce the threat from attackers.
Submitted by: Arnfried Walbrecht