Vulnerability QuickView Report

2019 Q3 trends
Issued November, 2019
VULNERABILITY QUICKVIEW REPORT BETTER DATA MATTERS

Welcome
Since 2013, Risk Based Security has been sharing our Vulnerability QuickView reports with
the world, providing detailed analysis on the vulnerability landscape based on data from
our vulnerability intelligence product, VulnDB .

Continuing from our previous 2019 Mid-Year report, this edition of the QuickView delves
into the months of August through October. The information collected is displayed in a
series of charts depicting various groupings, classifications, insights, and comparisons of
the data.

To add value to the data, we are proud to feature viewpoints from security specialists
Brian Martin
within our company and the security community at large.
Vice President,
We hope that this report and our findings contained within assist you in better Vulnerability Intelligence,
safeguarding your organization from vulnerabilities. Risk Based Security

Key Findings
• Risk Based Security’s VulnDB team aggregated 16,738 newly-disclosed vulnerabilities during the first three quarters of
2019.

• The VulnDB team identified 5,970 more vulnerabilities than CVE/NVD during the same period.

• 15% of 2019 vulnerabilities with a CVE ID were in RESERVED status at the end of September.

• 48% of all vulnerabilities identified by 9/30/19 had a CVSSv2 score of 6.0 and above.

• 39% of all vulnerabilities identified by 9/30/19 had available exploit code or a proof of concept (PoC).

© Copyright 2019 Risk Based Security, Inc. All Rights Reserved

VULNERABILITY QUICKVIEW REPORT BETTER DATA MATTERS

In This Issue
F E A TUR I N G V I EW P OIN TS F R OM

Brian Martin Jake Kouns

Vice President, Co-Founder, CISO,
Vulnerability Intelligence, Risk Based Security
Risk Based Security

W E LC OM E
In This Issue .................................................................................................................................................... 3
Viewpoints ...................................................................................................................................................... 4
Data You Can Use .............................................................................................................................................. 4
The Vulnerability Whack-a-Mole Game ............................................................................................................ 6
Vulnerability Trends Through Q3 2019 ...................................................................................................... 10
Q3 2019 At A Glance ........................................................................................................................................ 10
“Top” Vendors by Confirmed Vulnerabilities ................................................................................................. 13
Reference .......................................................................................................................................................... 14
Methodology and Terms ................................................................................................................................. 17
CVE: Mission and Expectations ....................................................................................................................... 17
About Risk Based Security .......................................................................................................................... 18
About VulnDB ................................................................................................................................................... 18
No Warranty ................................................................................................................................................. 18

© Copyright 2019 Risk Based Security, Inc. All Rights Reserved

VULNERABILITY QUICKVIEW REPORT BETTER DATA MATTERS

Data You Can Use

Brian Martin, Vice President of Vulnerability Intelligence, Risk Based Security
Brian has been studying, collecting, and cataloging vulnerabilities for twenty-five years both personally and professionally.
He has pushed for the evolution of Vulnerability Databases for years via blogs, presentations, and public dialogue on social
media, and has helped change them to improve their processes and coverage. He was previously a member of the CVE
Editorial Board for ten years and continues to rigorously follow the changing landscape of the vulnerability database
ecosystem.

For almost nine years, Risk Based Security (RBS) has maintained and offered the best vulnerability intelligence in the world. As a
founder of the company, and with over 25 years of experience collecting vulnerabilities, it is not only a passion, but a
cornerstone of my life. Believe it or not, there was once a time when MITRE said that there was no way that they would need to
create more than 9,999 CVE identifiers in a given calendar year. But not surprisingly, that ceiling has been broken repeatedly
since 2006, the year they first surpassed 10,000. As RBS has grown, we have added additional expertise to our team in order to
solidify our processes and methodology. This helps us ensure that we deliver the best information available while continuously
improving and innovating to stay ahead of the ever-increasing number of disclosures each year.

Having the best data is important, but we quickly identified that it was vital to ensure that organizations could easily integrate
our intelligence into their systems and workflows, and in the early years of RBS that became the priority. Integrating and
processing data can be overwhelming at times since the growing number of vulnerabilities makes it hard for organizations to
stay up-to-date in securing their IT infrastructure and/or software development.

J F R O G P AR TN E RS H I P

For years now, we have focused intently on the challenges of integrating our superior data into organizations so that they can
most effectively use it to enhance their vulnerability assessment and risk mitigation activities. We have had great success
partnering with many companies to provide a wide variety of integrations. We are extremely excited about our partnership with
JFrog and their integration of our data into their offering. Our work with JFrog gives us an opportunity to provide our data within
a tool that allows organizations to scan their own software for vulnerabilities in the third-party libraries and dependencies they
use. This is incredibly beneficial to development teams who can now quickly scan their repositories at any stage of their SDLC.
Using JFrog Xray, organizations are able to achieve what RBS has longed worked towards in a way we never originally imagined.
Incredibly, JFrog has opted to include the third-party library vulnerabilities in VulnDB at no additional cost to Xray users!

© Copyright 2019 Risk Based Security, Inc. All Rights Reserved

VULNERABILITY QUICKVIEW REPORT BETTER DATA MATTERS

E A S Y I NT E G RA T IO N

Most of our VulnDB integrations are focused on vulnerability remediation for assets deployed in the organization that are
identified as the result of vulnerability scanning. Our data can greatly enhance that triage process with additional metadata such
as detailed solution information and exploit availability. Using our data and an organizational asset inventory, rather than the
conventional network scanning method, a security team can far more effectively ‘scan’ their assets against a vastly more
comprehensive set of vulnerabilities than any network vulnerability scanner can provide. Even better, they can do so instantly,
bypassing the limitations of traditional scanning solutions (that would result in delayed alerting).

In a sea of bad data and vague disclosures, using the best data, and being able to integrate it into your existing systems and
workflows, is paramount. We monitor thousands of sources ranging from classic mailing lists and the security pages of high-
profile vendors, to social media, the deep web, research blogs, product bug trackers, and even code commits. We track all the
products you care about and provide our findings in one place in a standardized format. We correct mistakes and weed out
invalid reports while adding extra metrics not available to the public to enhance vulnerability assessment and risk mitigation. We
do all of this so you don’t have to, enabling you to focus on the issues at your organization.

© Copyright 2019 Risk Based Security, Inc. All Rights Reserved

VULNERABILITY QUICKVIEW REPORT BETTER DATA MATTERS

The Vulnerability Whack-a-Mole Game

Jake Kouns, Co-founder, CISO, Risk Based Security
Jake is frequently interviewed as an expert in the security industry and has presented at many well-known security conferences,
including RSA, Black Hat, and DEF CON. He is the co-author of Information Technology Risk Management in Enterprise
Environments and The Chief Information Security Officer. He holds both a bachelor of business administration and master
of business administration degree from James Madison University, with a concentration in information security. In addition, he
holds a number of certifications, including: ISC2's CISSP, and ISACA's CISM, CISA and CGEIT.

Most professionals have probably heard the classic business iceberg metaphor quite a few times during their careers - the one
with the punchline: “Hey, the problem is actually bigger than you think!” It’s a cliché but, like it or not, it rings true when it comes
to cyber security. Many organizations see the tip of the iceberg, but very few stop and do the hard work necessary to figure out
what is really going on below the surface. Those that do, and start to more fully understand the issues, may soon discover that
the cyber problems are even bigger than they thought.

It’s nearly impossible for most organizations to look below the surface using the “free” data that fuels most of the security
products currently on the market. It’s just not comprehensive or timely enough. As a result, the attempt to deal with security
problems turns into a vulnerability “whack-a-mole” game, where risk management professionals reactively lunge at newly
emerging issues instead of proactively mitigating their likelihood and impact. Compounding the problem, organizations tend to
treat the symptoms and not address the root causes that are driving the risk.

Organizations need a better mindset when it comes to implementing the right approach for vulnerability management. They
want to evolve beyond the whack-a-mole game and be more strategic, and in order to do that they need better data.

© Copyright 2019 Risk Based Security, Inc. All Rights Reserved

VULNERABILITY QUICKVIEW REPORT BETTER DATA MATTERS

THE PROBLEM ISN’T THE PLATFORM, IT’S THE DATA

At Risk Based Security, we have always been focused on collecting and understanding vulnerability data. We track every type of
vulnerability that we can uncover (including many issues in third-party libraries). We believe it’s critical that we offer the most
complete and detailed vulnerability data, but many cyber security solutions do not view this as a priority. Unfortunately,
organizations that use bad vulnerability data, knowingly or otherwise, may be making bad risk management decisions.

The core of the problem is that most organizations (and the security products they use) source their data from CVE. Some do not
really understand how the system works, or the severe limitations that can put them at risk. Many organizations are still relying
solely on running a vulnerability scanner, thinking “Oh, great! I just did a full assessment and I’m clean. I didn’t get any findings.”
But a scanning tool isn’t able to alert them about important vulnerabilities that are missing from their data. Worse, the major
vulnerability scanners look for only a fraction of the issues that are published in CVE. I’m not suggesting that you throw CVE out
entirely, as it does have some value. But you can’t implement an effective vulnerability management program using CVE/NVD
alone.

As I write this, CVE/NVD is missing around 71,000 vulnerabilities and that number is growing every day. For many people in the
security industry CVE/NVD has been the de facto standard, so this can come as quite a shock. Many practitioners react with
surprise when confronted by this fact, while others know but choose to ignore it. They may assume that the missing
vulnerabilities are in software that doesn’t matter, or that are low risk”. Neither of these statements are true.

THE MISSING VULNERABILITIES MATTER

If your organization is currently relying on CVE (and most are), at least 33% of all disclosed vulnerabilities are completely
unknown to you. Our research shows that 45.5% of those vulnerabilities not published by CVE/NVD in 2018 had a CVSSv2 score
between 7 and 10, and included major vendors like Microsoft, Adobe, Oracle, and Google. It gets even worse for DevSecOps as
CVE coverage of third-party library components is a fraction of what is should be.

Even when CVE does publish vulnerabilities, they can be days, weeks, and even months behind the disclosure date. Have you
ever gone to look up a CVE ID only to see it say “RESERVED”? This is normal for newly disclosed vulnerabilities. In fact, we see
1,500 to 2,000 vulnerabilities a year stay in reserved status in CVE long after we have alerted our customers and provided them
with the detailed intelligence they need in order to take the appropriate actions. The information is out there, but MITRE hasn’t
done the work necessary for you to do yours.

Even if you’re doing vulnerability research yourself, you need to be able to handle vulnerabilities that don’t have a CVE ID.
Organizations quickly realize that this is a complex and very expensive undertaking to manage.

© Copyright 2019 Risk Based Security, Inc. All Rights Reserved

VULNERABILITY QUICKVIEW REPORT BETTER DATA MATTERS

EVOLVING BEYOND THE WHACK-A-MOLE GAME

Vulnerability management is more than just using a scanner. While vulnerability scanning has served organizations well and got
us to this point, we need to evolve our approach if cyber security is to mature. We need to put proper vulnerability intelligence
and asset inventory at the core of effective vulnerability management. When organizations know about all vulnerabilities
disclosed, and how they potentially affect them, they can prioritize and remediate accordingly, ensuring that their limited time
and money is focused on the most important risks.

We need to continue to educate and enable organizations to start looking at vulnerability management from a more strategic
standpoint, and apply more of a problem management approach. Ask yourself:

• What if you knew the vendors or products that would most likely put you at risk for a data breach or compromise?

• What products or libraries/components cost the most to maintain securely?

• What if you could easily look at your vendors and see how much they care about their own security? Are they actively
addressing the vulnerabilities within the products they are shipping to you? And if a vulnerability does make it through,
how quickly do they respond and provide a patch?

If organizations have access to easy to understand ratings and are able to gather better insights about the products they are
relying on, they can take a strategic approach. They can finally achieve proactive, risk-based vulnerability management, set aside
the squeaky mallet, and move on from the whack-a-mole game.

© Copyright 2019 Risk Based Security, Inc. All Rights Reserved

VULNERABILITY QUICKVIEW REPORT BETTER DATA MATTERS

The Vulnerability QuickView report is powered by

The most comprehensive, detailed and timely source of

vulnerability intelligence and third-party library monitoring.

 DevSecOps

 Security & Vulnerability

Management

 Vendor Risk Management

 Procurement

 Governance & Management

REQUEST A DEMO LEARN MORE

sales@riskbasedsecurity.com vulndb.cyberriskanalytics.com

© Copyright 2019 Risk Based Security, Inc. All Rights Reserved

VULNERABILITY QUICKVIEW REPORT BETTER DATA MATTERS

Vulnerability Trends Through Q3 2019

Q3 2019 At A Glance

Figure 1: Number of vulnerabilities disclosed by 9/30 in the last five years Figure 2: Number of vulnerabilities disclosed in 2019

Our VulnDB team adds, on average, 70 new vulnerabilities every day. Though these can include entries that were disclosed prior
to 2019, the majority are recent vulnerabilities identified this year. The snapshot in Figure 1 shows 2019 lagging behind 2017 and
2018, but it’s comparable to how many vulnerabilities were added this time in last year’s report. By this time next year, we will
likely have added over a thousand that were disclosed but not discovered in 2019. The previous years will tick up, too, but 2019
will likely catch up over time.

Figure 2 shows a routine trend we see when aggregating vulnerabilities. Due to the variety of ways a vulnerability can be
disclosed, the different paths researchers take to publish, and the number of places this information can be found, not all
vulnerabilities disclosed in a particular month are actually known to have been disclosed today. That influences the monthly
totals as seen above. For example, we have had eight months after January to keep adding more vulnerabilities increasing that
total. In the coming months, the September total, currently much lower than prior months, will increase.

This illustrates why it is important that an organization draw their vulnerability information from a living database, where
updates to entries with new solution or exploit information, regardless of their disclosure date, are just as important as
continually adding new vulnerabilities.

© Copyright 2019 Risk Based Security, Inc. All Rights Reserved

VULNERABILITY QUICKVIEW REPORT BETTER DATA MATTERS

For those using and relying on CVE, you may be accustomed to seeing entries in RESERVED status. This often means that a given
ID has not been assigned, or the details of the vulnerability are not yet public. However, we are increasingly finding that there is a
third case, where the information is public, but CVE has yet to open up the ID.

Even worse, Figure 3 shows the vast number of vulnerabilities that have been disclosed without a CVE ID, and are missing from
the CVE database this year. This highlights why reliance on CVE/NVD is unacceptable for any organization that requires proper
vulnerability intelligence.

The CVE team does not actually look for vulnerability disclosures, rather they wait for researchers and vendors to notify them. As
a result, CVE consumers aren’t seeing almost 1,000 vulnerabilities this year that have been published with a CVE ID but are still in
RESERVED status. Relying on researchers or vendors to take the initiative to notify CVE is not a model that works in favor of CVE
consumers. Even worse, in some months, as many as half the vulnerabilities that CVE is slow to publish are of High or Critical
severity.

Figure 3: Number of vulnerabilities disclosed in 2019, Figure 4: Number of vulnerabilities disclosed in 2019 in
with and without CVE IDs RESERVED status, with severity

© Copyright 2019 Risk Based Security, Inc. All Rights Reserved

VULNERABILITY QUICKVIEW REPORT BETTER DATA MATTERS

Figure 5: Distribution of vulnerabilities by impact, by 9/30/18 Figure 6: Distribution of vulnerabilities by impact, by 9/30/19

Looking at the intersection of the CIA triad (Confidentiality, Integrity, Availability) for vulnerability disclosures shows an
interesting pattern, and reveals several trends as well as pitfalls in vulnerability disclosure analysis. First, the lesser overlap
between confidentiality and availability (442 this year versus 580 last year) is the result of fewer out-of-bound read issues and
XXE vulnerabilities being reported, both of which may have confidentiality and/or availability impacts. Also, a lack of
vulnerabilities impacting all three areas in the diagrams is primarily a result of the way we believe code execution flaws should
be treated, which follow the CVSSv2 model; the base vulnerability is the execution of the code which impacts integrity, the follow-
up or secondary impact can be disclosing information or creating a denial of service.

One noted exception is XML External Entity (XXE) flaws that may allow for disclosure of information, a limited denial of service, or
executing a Server Side Request Forgery (SSRF) attack which affects integrity. Specifically, the XXE attack would be crafted to do
one of those independently, not all at once. However, very few researchers or vendors actually test the full impact of XXE flaws,
and it is largely assumed they can impact confidentiality or availability without a more serious effect.

© Copyright 2019 Risk Based Security, Inc. All Rights Reserved

VULNERABILITY QUICKVIEW REPORT BETTER DATA MATTERS

“Top” Vendors by Confirmed Vulnerabilities

Each year, we aim to track who the “top” vendors are, according to the number of vulnerabilities confirmed by them so far that
year. At this point last year, the composition of the top ten vendors was relatively the same, save for one major change - the
replacement of LG (previously placed at #8) with Cisco (currently placed at #10), who hadn’t made the cut last year. The biggest
change within these vendors is from Samsung, who went from #5 to #8, disclosing 358 fewer vulnerabilities than last year. The
year still isn’t over, but this may be a sign of major policy changes regarding disclosures or a pattern of under-reporting from
Samsung in general.

New Rank Old Rank 2019 Totals 2018 Totals

Oracle 1 3 969 1247
Google 2 4 945 977
SUSE 3 1 812 1259
SITPI 4 2 805 1254
Red Hat 5 6 757 951
IBM 6 9 736 626
Canonical 7 7 655 903
Samsung 8 5 614 972
Microsoft 9 10 485 434
Cisco 10 10+ 390 405

Table 1: Top ten vendors for this year, as well as how their standings compare to last year, by Q3 2019.

© Copyright 2019 Risk Based Security, Inc. All Rights Reserved

VULNERABILITY QUICKVIEW REPORT BETTER DATA MATTERS

Reference
The following charts illustrate the classifications of vulnerabilities disclosed by September 30th, 2019, compared to those
disclosed in the same period in 2018. They demonstrate shifts in the proportion of vulnerabilities in that classification, and are
included for ongoing reference purposes.

2018
2019

Figure 7: Distribution of vulnerability attack type, disclosed by 9/30 (2019 & 2018)

2018
2019

Figure 8: Distribution of vulnerability disclosure coordination, disclosed by 9/30 (2019 & 2018)

© Copyright 2019 Risk Based Security, Inc. All Rights Reserved

VULNERABILITY QUICKVIEW REPORT BETTER DATA MATTERS

2018
2019

Figure 9: Distribution vulnerability exploit availability, disclosed by 9/30 (2019 & 2018)

2018
2019

Figure 10: Distribution of vulnerability location, disclosed by 9/30 (2019 & 2018)

© Copyright 2019 Risk Based Security, Inc. All Rights Reserved

VULNERABILITY QUICKVIEW REPORT BETTER DATA MATTERS

2018
2019

Figure 11: Distribution of vulnerability solution type, disclosed by 9/30 (2019 & 2018)

© Copyright 2019 Risk Based Security, Inc. All Rights Reserved

VULNERABILITY QUICKVIEW REPORT BETTER DATA MATTERS

Methodology and Terms

VulnDB is derived from a proprietary search engine and daily analysis of thousands of vulnerability sources. Unlike some
vulnerability database providers, Risk Based Security is constantly searching for and adding new sources.

VulnDB counts only distinct vulnerabilities. Products sharing the same vulnerable codebase are considered only one unique
vulnerability. We do not consider vulnerabilities that affect multiple products as unique vulnerabilities as some vulnerability
databases do. To be clear, a vulnerability in a third-party library such as OpenSSL is treated as one vulnerability within VulnDB.
While additional products known to leverage OpenSSL will be documented as affected by that vulnerability, the multiple projects
using and integrating that code do not constitute additional unique vulnerabilities, and are not included in any VulnDB counts.

CVE: Mission vs. Expectations

One of the fundamental objectives of VulnDB is to expand our search methods and collect as many vulnerabilities as possible, to
provide our clients with the most comprehensive vulnerability intelligence available, allowing them to determine which
vulnerabilities are important to their organization.

While we maintain a curated list off over 3,000 sources that are monitored on an hourly, daily, and weekly basis, new sources are
discovered and/or are brought to our attention every day. CVE on the other hand, issues CVE IDs when requested by a vendor or
researcher. Their mission is not to search for vulnerabilities like a vulnerability intelligence company. Rather, they are charged
with assigning IDs and keeping minimal records.

Why then do organizations, scanning companies, risk platforms, and security service providers continue to use CVE/NDV as a
vulnerability intelligence service and continue to insist that it is “good enough”? Who is best served by this approach? Certainly
not those organizations, government agencies and consumers victimized by the increasing number of data breaches from
exploited software vulnerabilities.

© Copyright 2019 Risk Based Security, Inc. All Rights Reserved

VULNERABILITY QUICKVIEW REPORT BETTER DATA MATTERS

About Risk Based Security

Risk Based Security (RBS) provides detailed information and analysis on Vulnerability Intelligence, Vendor Risk Ratings, and Data
Breaches. Our products, Cyber Risk Analytics (CRA), VulnDB and YourCISO, provide organizations access to the most
comprehensive threat intelligence knowledge bases available, including advanced search capabilities, access to raw data via API,
and email alerting to assist organizations in taking the right actions in a timely manner.

For more information, visit www.riskbasedsecurity.com or call +1 855-RBS-RISK.

About VulnDB
VulnDB is the most comprehensive and timely vulnerability intelligence available and provides actionable information about the
latest in security vulnerabilities via an easy-to-use SaaS Portal, or a RESTful API that allows easy integration into GRC tools and
ticketing systems. VulnDB allows organizations to search and be alerted on the latest vulnerabilities, both in end-user software
and the 3rd Party Libraries or dependencies

A subscription to VulnDB provides organizations with simple to understand ratings and metrics on their vendors and products,
and how each contributes to the organization’s risk-profile and cost of ownership.

REQUEST A DEMO LEARN MORE

sales@riskbasedsecurity.com vulndb.cyberriskanalytics.com

N O W A R RA NT Y

Risk Based Security, Inc. makes this report available on an “As-is” basis and offers no warranty as to its accuracy, completeness or
that it includes all the latest data breaches. The information contained in this report is general in nature and should not be used
to address specific security issues. Opinions and conclusions presented reflect judgment at the time of publication and are
subject to change without notice. Any use of the information contained in this report is solely at the risk of the user. Risk Based
Security, Inc. assumes no responsibility for errors, omissions, or damages resulting from the use of or reliance on the
information herein. If you have specific security concerns please contact Risk Based Security, Inc. for more detailed data loss
analysis and security consulting services.

© Copyright 2019 Risk Based Security, Inc. All Rights Reserved