As 2023 kicks into gear, vulnerability numbers are up, and those numbers aren’t slowing down. According to Coalition, 94% of organizations had at least one vulnerability in 2022, and unauthenticated database use and ransomware attacks increased substantially. Most experts predict that this trend will continue throughout this year.
Fortunately, despite the challenges of tackling the enormous numbers of vulnerabilities, there are ways companies can improve their security. By effectively prioritizing and implementing a web application firewall, it’s possible to reduce the risk of attack and mitigate the damage of any security incidents.
Production Vulnerabilities are Already a Major Issue
Many new vulnerabilities are discovered each year, and some of these come from zero-day attacks, or attacks that utilize a previously unknown vulnerability. Ideally, security professionals would be able to identify a vulnerability and patch it before someone attacks it, but this is not always the case. As code in everything from basic hardware to web applications becomes more complex, it is increasingly challenging to know where all the potential vulnerabilities are.
Even with a reasonable idea of what vulnerabilities exist, it can be time-consuming and resource-intensive to apply patches. Supposing the vulnerability has been used before, a security team can determine whether that vulnerability is critical and prioritize accordingly. However, if the vulnerability is new, it can be more challenging to determine how to prioritize, and it will take time and energy to find the best way to address the issue. Once an effective patch is available, it will take even more time and resources to distribute and apply. All of this creates production delay.
However, many organizations are finding that delaying patches creates bigger problems than a delayed app release. Failing to patch quickly can result in expensive and reputation-damaging data breaches, ransomware attacks, phishing directed either at employees or customers, and other frustrating problems. Any attack can be expensive, and often an attack creates downtime that negatively impacts business operations (and profitability).
CVE Numbers are Growing
Many organizations reference CVE (Common Vulnerabilities and Exposures) to determine whether their apps have any glaring vulnerabilities. The CVE list compiles vulnerabilities that have been previously reported, either by researchers, bug bounty hunters, or victims of attacks. Each vulnerability is defined and catalogued to help organizations address those vulnerabilities within their own web apps and software.
Coalition anticipates that, based on a 10-year model, in 2023 there will be an average of 1900 new CVEs per month. 15% of the new attacks will likely be considered high severity, and another 8% are expected to be critical-severity. Overall, vulnerabilities will likely increase 13% compared to 2022. Patching has already begun at a frenetic pace. For example, in its first major patch of the year, Microsoft addressed over 100 CVEs, and it’s certain that there are more to come.
Managing Production Vulnerabilities at Scale
If a large company like Microsoft is knocking out 100 patches at a time (and still hasn’t fixed everything), it seems like there isn’t much hope for everyone else. Realistically, organizations will have to prioritize CVEs to ensure that web apps are well-protected and then implement firewalls to protect any other vulnerabilities as much as possible. With the increased numbers of vulnerabilities, fixing everything immediately is almost certainly not feasible. Prioritization and broad protective measures are key.
Using an assessment tool like EPSS or CVSS, it’s possible to determine whether a vulnerability is critical or high-risk. Once organizations determine which of their vulnerabilities are most critical, they should patch them as soon as possible to reduce risk of a breach. A critical breach is the rough equivalent of a gaping hole in the side of a ship. It may not be sinking yet, but if the hole isn’t closed up quickly, it’s only a matter of time. Once the worst of the vulnerabilities has been patched, organizations can start working down the list of priorities as time and resources allow.
In the meantime, one of the best ways to improve security is to implement a web application firewall (WAF). A WAF protects web apps from vulnerability exploits, such as malicious code, phishing or smishing attempts, and ransomware. Although a WAF can’t patch your web app’s code, it can help keep attackers away from potential exploits and minimize the damage if an exploit is found. Web Application and API Protection (WAAP) is also worth considering. Similar to WAFs, a WAAP performs many of the same functions with additional detection capabilities that can help automate security for increased peace of mind.
TLS/SSL encryption may also prove useful for reducing the risk of malicious code injection. Requiring multi-factor authentication for both customers and employees to log in to web apps reduces the risk of attackers gaining access from a compromised password, and training refreshers can remind employees of best practices for avoiding phishing and other social engineering attacks.
While it’s clear that staying ahead of possible attack vectors in 2023 will be a challenge, by utilizing these strategies, organizations have a good chance at minimizing attacks. CVEs are up, but massively expensive data breaches and cyber incidents don’t have to be.