The Eighth Edition of the report delves into Risk Density, Mean Time to Remediate (MTTR) critical vulnerabilities, and the convergence of vulnerability management and penetration testing output.
Edgescan, the first-fully integrated cybersecurity platform, announced today the release of its 2023 Vulnerability Statistics Report. The vulnerability data analyzed was collected from thousands of security assessments and penetration tests performed on millions of assets, utilizing the Edgescan Platform in 2022.
The eighth edition of the report provides a statistical model of the most common weaknesses faced by enterprises to enable data-driven decisions for managing risks and exposures more effectively. The statistical models are split across layers of the technology stack such as Web Application, API, and Device/Host layers. Additionally, we make a distinction in the data for four tiers of business sizes based on employee count and a distinction between internet facing and internally facing assets.
“We are still not getting the basics right; In 2022 we’ve observed many very basic vulnerabilities, many of which are commonly leveraged by cybercrime. Continuous assessment, validation & prioritization will make a huge difference to any organization’s cybersecurity posture. All vulnerabilities are not created equal, and we must focus on what matters to protect our respective organizations and businesses,” said Eoin Keary, Founder and CEO of Edgescan.
The report provides insight into how quickly vulnerabilities are being fixed based on risk. Unfortunately, high rates of known types of risk are still being found (i.e., patchable) exploitable vulnerabilities, with working exploits in the wild being used by nation states and cyber-criminal groups against organizations who are slow to patch.
- Non-internet facing systems have a significant risk density resulting in an easy time for criminals once the network perimeter is breached.
- Mean Time to Remediation (MTTR) for Critical Severity vulnerabilities is 65 days
- 33% of all vulnerabilities across the full stack discovered in 2022 were either High or Critical Severity
- The most common application layer and API vulnerabilities are still Injection related
- 13.5% of vulnerabilities in an enterprise’s backlog are either high or critical severity
- 12% of all Risk accepted vulnerabilities in 2022 were considered (in isolation) Critical Severity
New in this report is the way Edgescan looks at prioritization and risk scores. Since Edgescan employs several risk prioritization scoring mechanisms we take a deeper look at the most common risks faced by organizations and look at correlation of the various risk scoring methodologies.
Methodology of Data Collection
All vulnerability data analyzed for the Edgescan Vulnerability Statistics Report was collected from thousands of security assessments and penetration tests performed on millions of assets; this growing collection of intelligence is stored in our data lake and is used for analytics-based validation purposes amongst the solutions that comprise the Edgescan Platform. Vulnerability data was sourced from over 250 companies of various sizes, Fortune 500 to medium and small businesses, across 30 industry verticals.
Visit AITechPark for cutting-edge Tech Trends around AI, ML, Cybersecurity, along with AITech News, and timely updates from industry professionals!