NVD: It’s Another Record Year for Vulnerabilities

The US-CERT has recorded more vulnerabilities so far in 2021 than any year previously, the fifth year in a row this has happened.

At the time of writing, 18,376 vulnerabilities in production code were recorded in the US National Vulnerability Database (NVD), exceeding the 2020 record of 18,351.

However, there were fewer high severity bugs in the NVD than last year. In 2020 the figure reached an all-time-high of 4381, falling to 3630 so far in 2021.

Pravin Madhani, CEO of K2 Cyber Security, argued that this could be due to improved coding practices and the growing popularity of DevSecOps. However, while organizations are coding better, they’re not testing as thoroughly as they should, allowing bugs to slip through into production, he added.

“The ongoing COVID-19 pandemic has continued to push many organizations to rush getting their applications to production, as part of their digital transformation and cloud journeys,” Madhani said.

“This means the code may have been through fewer QA cycles, and there may have been more use of third party, legacy, and open source code, another risk factor for more vulnerabilities.”

Casey Ellis, CTO at Bugcrowd, argued that the record number of software flaws this year is a reflection of the pace of technological development.

“It’s a probability game, and the more software that is produced, the more vulnerabilities will exist,” he added.

Yaniv Bar-Dayan, CEO at Vulcan Cyber, claimed that more concerning than this year’s NVD list is the “security debt” that continues to pile up year after year.

“If IT security teams are leaving 2020's vulnerabilities unaddressed, the real 2021 number is cumulative and becoming harder and harder to defend against,” he argued.

“Cybersecurity teams need to do more than just scan for vulnerabilities. We need to work together as an industry to better measure, manage and mitigate cyber risk, or we will be crushed by this growing mountain of vulnerability debt.”

The news comes after bug bounty platform HackerOne revealed its researchers found 66,000 valid vulnerabilities this year, a 20% increase on the 2020 figure.

What’s Hot on Infosecurity Magazine?