While the infosec industry is used to reading (and pumping out) FUD about software vulnerabilities, eye-catching research suggests about 500 vulns were exploited in 2019 – despite 18,000 new CVEs being created.
Kenna Security, a US infosec firm, reckons that despite thousands of vulnerabilities being assigned a Common Vulnerabilities and Exploitations (CVE) tracking number in the year, just 473 of those were actively being exploited in ways likely to impact enterprises.
That represents just 2.6 per cent of vulns reported during the year, shedding new light on the scale of the threat to internet-connected businesses.
Kenna's co-founder and CTO, Ed Bellis, told The Register that the analysis his firm carried out focused on those CVEs with the potential to affect its customers. Even that 473 figure can be reduced further, he said. While the company did not filter down the 18,000 CVEs figure, for example, to look at only the ones affecting enterprise software, the contrast between the two is stark.
"A mere 6 per cent of those 473 vulnerabilities ever reached widespread exploitation by more than 1/100 organizations," asserted Kenna Security's report. "The fact that an exploit is 'in the wild' does not mean it's raging hog wild across the internet."
The report continued: "Exploit code was already available for >50 per cent of vulnerabilities (eventually exploited in the wild) by the time they published to the CVE List. Thankfully for defenders, patch releases coincide with publication for over 80 per cent of those CVEs."
Vulns are out there – but the popular notion that everything is terrifyingly insecure and sometimes only pure luck saves us from data theft, denial-of-service attacks, and more may not be true. Fancy that!