Last year, K2 Cyber Security reported that the US-CERT Vulnerability Database hit a record number of vulnerabilities recorded for the fourth year in a row on December 15, 2020. As of last Thursday, October 14, 2021, the database is on track to hit a fifth record year of recorded vulnerabilities. The US-CERT Vulnerability Database keeps track of new vulnerabilities in production code as they are discovered and assigns each unique vulnerability with a “CVE” number. For the last four years, 2017 through 2020, we’ve had a record number of vulnerabilities recorded in the vulnerability database. For 2020, we recorded a total of 18,352 vulnerabilities (with 4,381 high, 11,205 medium and 2,766 low), the highest number recorded in any given year since tracking began.
With 15,080 vulnerabilities (2,957 high, 9,737 medium and 2,386 low) recorded as of Oct. 14, 2021, we’re on track to marking a fifth record year of vulnerabilities discovered in production code. At the current run rate, we should exceed the 18,352 from 2020, on December 16, 2021 a day later than last year’s date.
It shouldn’t be a surprise, as we’ve been on track most of this year to beat 2020’s number. In addition, as the COVID-19 pandemic lingered, the effect has been pushing many organizations to continue their increased drive to getting their applications to production, meaning they may have less QA cycles, and more use of 3rd party, legacy, and open source code, another risk factor for more vulnerabilities.
These numbers may have you concerned about your own security and how many applications you have out in production with vulnerabilities. There are a number of simple measures an organization can take to improve their web application security stance. First starts at the very beginning of application development, and that’s making sure developers take security into consideration when developing and coding applications. Second, is making sure that software and operating systems are kept up to date, with the latest updates and patches to ensure known vulnerabilities that have patches are not exploited.
In addition to these two fundamental starts to application security, there’s still a need to ensure web application security for applications running in production, especially against threats not typically secured by network or system level security. The recently updated draft for 2021 of the OWASP Top 10 Web Application Security Risks are a great example of risks that aren’t typically protected with network or system level security.
In addition to the system and network based security typically in place, it’s important to remember to have a security framework that offers a defense-in-depth architecture. Maybe it’s time to take a hint from the recent finalization of the National Institute of Standards and Technology (NIST)’s SP800-53 that was just released on September 23, 2020. The new security and privacy framework standard now requires Runtime Application Self-Protection (RASP) as an added layer of security in the framework.
RASP solutions like the one from K2 Cyber Security offer significant application protection, including protection of vulnerable applications, while at the same time using minimal resources and adding negligible latency to an application. K2 Security Platform uses runtime deterministic security to monitor the application and has a deep understanding of the application’s control flows, DNA and execution. By validating the application’s control flows, deterministic security is based on the application itself, rather than relying on past attacks to determine a zero day attack. Deterministic security results in the detection of sophisticated zero day attacks and also protects from application from the risks listed in the OWASP Top Ten, including XSS and SQL Injection.
K2’s Next Generation Application Workload Protection Platform addresses today’s need for runtime security in an easy to use, easy to deploy solution. K2’s unique deterministic security detects new attacks without the need to rely on past attack knowledge, is lightweight, and adds under a millisecond of latency to the running application. To aid in quick remediation of vulnerabilities, K2 also provides detailed attack telemetry including the code module and line number being in the code being attacked, while at the same time integrating with leading firewalls to do real time attacker blocking.
Change how you protect your applications, and check out K2’s web application and application workload security solution and evaluate K2’s effectiveness at detecting and protecting your organization from attacks.