How to manage the rising tide of CVEs


Software defects across MOVEit file-transfer services, Log4Shell and Citrix Bleed are among the highest-profile vulnerabilities that have been exploited in recent years, but they represent just a sliver of the total CVEs causing widespread damage.

The volume of CVEs is steadily increasing each year — SecurityScorecard recorded 29,000 vulnerabilities in 2023 and already this year it tracked nearly 27,500 vulnerabilities.

That number is expected to hit 34,888 in 2024, a 25% increase, according to Coalition’s 2024 Cyber Threat Index report. It underscores the challenge for organizations to continuously manage vulnerabilities and strengthen defenses against potential exploits.

While three-quarters of organizations employ a formal program to manage vulnerabilities, many are struggling with a backlog they cannot fix and a growing number that need vendors or the open-source community to remediate, according to the SANS 2022 Vulnerability Management Survey

Organizations need effective CVE management to mitigate the risks posed by these vulnerabilities, but many struggle with the complexity of identifying and prioritizing the most critical threats amid a constant influx of new vulnerabilities. 

“The sheer number of CVEs makes it difficult to keep track of all potential vulnerabilities,” said Amit Bismut, head of product at Backslash Security.

With many vulnerabilities deemed critical, the challenge is deciphering which ones pose the biggest risk. One way is to understand if the CVE can potentially be exploited in your specific environment, Bismut said.

Organizations need to prioritize vulnerabilities that represent a specific risk to the environment and direct resources so that the most dangerous vulnerabilities are mitigated promptly.

“Context helps security teams focus on vulnerabilities with the most significant threat to their unique setup, rather than trying to address every single issue,” he said.

How CVE identifiers help vulnerability ranking

Using the CVE number, which is a common identifier, security teams can rank vulnerabilities according to a range of data sources and use vulnerability scanners or intrusion detection systems to find them.

It wasn’t always this way. Before CVEs identification was formalized, security teams had to piece together vulnerability information, according to TK Keanini, CTO of DNSFilter and founding member of the CVE program.

Comments