Security teams are struggling to remediate vulnerabilities

Enterprise security teams are struggling to go beyond simple detection and aim to effectively respond to and remediate vulnerabilities.

The study found that business leaders and IT managers are limited in their ability to obtain the critical information they need to effectively protect valuable business assets, making vulnerability management programs largely ineffective.

Risk assessment outside the context of the business is useless. Most of the Vulcan Cyber survey participants tend to sort vulnerabilities by infrastructure (64%), business function (53%), and application (53%).

The vast majority of decision makers assess and prioritize vulnerabilities according to two or more models: CVSS Common Vulnerability Scoring System (71%), OWASP Top 10 (59%), Vulnerability Scanner (47%), top -25 CWE (38%) or bespoke models (22%). To ensure meaningful cyber risk management, a customized scoring and prioritization model takes into account multiple industry standards is ideally suited and most effective.

The more control a security team has over the assessment and prioritization of risks, the more effectively they can mitigate them. However, there is still no industry-wide framework for risk-based vulnerability management, which means cyber hygiene is still inadequate and vulnerabilities continue to pose risks.

The majority of survey participants (54%) consider confidential data leakage to be the most serious threat that vulnerabilities in applications can lead to. This is followed by incorrect authentication (44%), incorrect configuration of security mechanisms (39%), insufficient logging and monitoring (35%), and injection (32%).

The research was conducted prior to the disclosure of the Log4shell vulnerability in the Log4J logging utility, so it does not appear in the researchers’ report. But we talked about what First ransomware exploiting Log4Shell problem was discovered and that Chinese APTs are interested in Log4Shell vulnerability.