NopSec Releases the 2018 State of Vulnerability Risk Management Report

NEW YORK, Aug. 8, 2018 /PRNewswire-PRWeb/ -- NopSec, a world leader in cybersecurity analytics, threat and vulnerability risk management and remediation, today released a new report, "The 2018 State of Vulnerability Risk Management".

This report offers an analysis into current trends in vulnerability risk management. It examines the attributes of security vulnerabilities viewed through a variety of lenses:

    --  Attributes of vulnerabilities published since 2002 versus those only
        recently published
    --  Attributes of all vulnerabilities published in the National
        Vulnerability Database (NVD) in contrast with only those uploaded into
        our platform by our clients
    --  Vulnerabilities broken down by industry vertical, CVSS score, product
        vendor and active exploitation in the wild

"NopSec continues to explore new data, methods and techniques to better understand and prioritize vulnerability data," notes NopSec's CTO, Michelangelo Sidagni. "Our mission is to empower cyber security and risk professionals to make better decisions to reduce their cyber risk exposure. In this sense, not all vulnerabilities are created equal."

Top findings include:

    --  We found that approximately 21% of CVEs published have associated
        exploit code in the Exploit Database alone. However, only 1.6% have
        associated Metasploit modules. Less than 2% (1.92%) have been linked to
        malware. Roughly 95% of vulnerabilities ranked as high have never been
        linked to malware seen in the wild.
    --  44% of CVEs associated with malware were scored as medium or low on the
        CVSS scale, suggesting that focusing solely on CVEs with high scores
        (7+) would be a mistake.
    --  NopSec has found that the language used in CVE descriptions lends clues
        to the fate of vulnerabilities. For example, approximately half of all
        descriptions of vulnerabilities linked to malware include words "allows
        remote".
    --  Vendors most likely to be associated with malware vary significantly,
        depending on whether all CVE data is taken into consideration, or just
        the last 18 months' worth. For example, OpenSSL is most commonly
        associated with malware when considering all CVEs, whereas Canonical
        (Ubuntu) takes the top spot when considering only recently published
        CVEs.
    --  Only half of the Top 20 vulnerabilities derived from NopSec client data
        can be fixed with a patch. The remainder represent configuration issues
        to be fixed or insecure cryptographic algorithms or protocols to be
        disabled.

Download the Report now to explore the findings in more detail.

About NopSec

NopSec provides automated IT security control measurement and risk remediation to help businesses protect environments from security breaches. The company's flagship SaaS product, Unified VRM, utilizes passive analysis, active exploitation and contextual enrichment to visually forecast threat risk, and dramatically reduce the time to remediation of critical vulnerabilities across infrastructure and applications. For more information, visit http://www.nopsec.com or follow us on Twitter @nopsec.

SOURCE NopSec.com, inc.