Back on December 8, 2021, we reported that the number of recorded vulnerabilities in the NIST National Vulnerability Database (NVD), hit a record high number of vulnerabilities recorded in a single year for the fifth year in a row. Now that 2021 has ended, we can see the final tally of vulnerabilities recorded for 2021. The year ended with a total of 20,061 vulnerabilities recorded, 9.3% over the prior year and the most ever recorded of any year since the database began.
One of the surprise of the year was that the number of vulnerabilities rated with a high severity didn’t break last year’s record. By the end of 2021, the NVD recorded 4,040 high severity vulnerabilities, down from 4,381 recorded in 2020. Both medium and low severity vulnerabilities set record highs, with 12,857 medium severity vulnerabilities (11,204 in the prior year) and 3,164 low severity vulnerabilities (2,766 in the prior year) recorded by the end of 2021.
The 9.3% increase in the last year was also the biggest jump of the last five years, as you can tell from the graph found at the NVD site, shown below.
In our previous post on setting the record for the fifth year, we discussed the reason there were more low and medium severity, and less high severity vulnerabilities.
While we can’t say for certain why there are more medium and low severity vulnerabilities, and less high severity vulnerabilities, it’s likely the lower numbers of high severity vulnerabilities is due to better coding practices by developers, as part of the recent big push to “shift left,” also called DevSecOps. Many organizations have adopted “shift left” in recent years, seeking to put more of an emphasis on ensuring security is a higher priority earlier on in the development process.
As to why more vulnerabilities are found in production code this year, the ongoing COVID-19 pandemic has continued to push many organizations to rush getting their applications to production, as part of their digital transformation and cloud journeys, meaning the code may have been through less QA cycles, and there may have been more use of 3rd party, legacy, and open source code, another risk factor for more vulnerabilities. So while companies may be coding better, they’re not testing as much, or as thoroughly, hence more vulnerabilities made it to production.
These numbers may have you concerned about your own security and how many applications you have out in production with vulnerabilities. There are a number of simple measures an organization can take to improve their web application security stance. First starts at the very beginning of application development, and that’s making sure developers take security into consideration when developing and coding applications. Second, is making sure that software and operating systems are kept up to date, with the latest updates and patches to ensure known vulnerabilities that have patches are not exploited.
In addition to these two fundamental starts to application security, there’s still a need to ensure web application security for applications running in production, especially against threats not typically secured by network or system level security. The OWASP Top 10 Web Application Security Risks are a great example of risks that aren’t typically protected with network or system level security.
In addition to the system and network based security typically in place, it’s important to remember to have a security framework that offers a defense-in-depth architecture. Maybe it’s time to take a hint from the recent finalization of the National Institute of Standards and Technology (NIST)’s SP800-53 that was just released on September 23, 2020. The new security and privacy framework standard now requires Runtime Application Self-Protection (RASP) and Interactive Application Security Testing (IAST) as an added layer of security in the framework.
RASP and IAST solutions like the ones from K2 Cyber Security offer significant application protection and vulnerability detection, including protection of vulnerable applications, while at the same time using minimal resources and adding negligible latency to an application. K2 Security Platform uses runtime deterministic security to monitor the application and has a deep understanding of the application’s control flows, DNA and execution. By validating the application’s control flows, deterministic security is based on the application itself, rather than relying on past attacks to determine a zero day attack. Deterministic security results in the detection of sophisticated zero day attacks and also protects from application from the risks listed in the OWASP Top Ten, including XSS and SQL Injection.
K2’s Next Generation Application Workload Protection Platform addresses today’s need for runtime security and vulnerability detection in an easy to use, easy to deploy solution. K2’s unique deterministic security detects new attacks without the need to rely on past attack knowledge, is lightweight, and adds under a millisecond of latency to the running application. To aid in quick remediation of vulnerabilities, K2 also provides detailed attack telemetry including the code module and line number being in the code being attacked, while at the same time integrating with leading firewalls to do real time attacker blocking.