This marks the fourth year in a row that a record number of vulnerabilities has been discovered, following 17,306 in 2019.
The US-CERT Vulnerability Database has confirmed 17,447 vulnerabilities were recorded in 2020, marking the fourth consecutive year with a record number of security flaws published.
On Dec. 15, 2020, officials reported 4,168 high-severity vulnerabilities, 10,710 medium-severity vulnerabilities, and 2,569 low-severity vulnerabilities this year. In 2019, there were 17,306 flaws published: 4,337 high-severity, 10,956 medium-severity, and 2,013 low-severity vulnerabilities.
The continuous increase raises a question: Are developers pushing more unsecured code, or are white-hat hackers getting better at finding vulnerabilities? Given the current climate and the growing popularity of bug bounty programs, experts suggest both factors could be at play.
This year saw massive growth in crowdsourced security. In its recent “Priority One” report, security firm Bugcrowd reports a 50% increase in vulnerability submissions in the last 12 months compared with the year prior. These bug reports reflect a 65% increase in P1 submissions (the most critical vulnerabilities) and a 4% increase in the validity of submissions.
“Hackers are finding bugs with greater impact, and communicating them to affected organizations with greater accuracy,” founder and CTO Casey Ellis wrote in a blog post.
Web applications make up the majority of vulnerabilities reported, but Bugcrowd data shows other categories are catching up as hackers diversify their skill sets to remain competitive in the ever-growing space. Submissions for all targets increased in 2020; notably, API vulnerabilities doubled and bugs discovered in Android targets more than tripled this year, researchers report.
The COVID-19 pandemic forced security practitioners into response mode, and the industry was at first preoccupied with keeping the lights on, changing work practices, and reprioritizing projects. However, as the industry grew accustomed to remote work and spent more time at home, Bugcrowd saw an increase in activity: Critical bug (P1) payouts jumped 31% between the first and second quarters of this year; P2 payouts increased 31% between quarters two and three.
HackerOne confirmed similar findings in its latest “Hacker Powered Security Report” earlier this year. More than a third of the 180,000 bugs found via HackerOne were reported in the past year. New hacker signups on the platform increased 59%, and submitted bug reports grew by 28%, in the months immediately following the start of the pandemic, researchers report. The businesses participating in crowdsourced security paid 29% more bounties in the same period.
This year has forced many businesses to rethink their vulnerability disclosure programs (VDPs), which have traditionally focused more on customer-facing assets and attack surfaces. Now they want more information on weaknesses in third-party systems or applications employees use on a regular basis. Many VDPs have grown to include back-end business support systems as well.
“It was nowhere near the norm, and that’s quickly become the norm over the past few months,” says HackerOne co-founder and CTO Alex Rice. “Organizations recognize that their attack surface is evolving. … What they thought was their perimeter before isn’t quite the perimeter.”
The increased participation in crowdsourced security has certainly driven the number of bugs reported this year; however, it’s worth noting the pandemic’s effect on software development. Many organizations have had to rush applications through production, cutting down on quality assurance cycles and relying more heavily on third-party, legacy, and open source code, says Pravin Madhani, co-founder and CEO at K2 Cyber Security.
“Despite the emergence of DevSecOps and shift-left approaches, the number of vulnerabilities in released code continues to rise,” he says. “Companies still struggle to find the balance between getting applications to market quickly and securing their code.”
If the timing of vulnerability disclosures proved a challenge to your security team, you’re not alone. Three times in 2020, Microsoft and Oracle rolled out security fixes on the same day. More patches are released on Patch Tuesday than any other day of the month, and this year has been a big one for Microsoft alone: In eight months of 2020, the company released more than 110 patches for its products and services; in June and September, the count was 129 fixes.
“The first thing I think of is just volume,” says Dustin Childs of Trend Micro’s Zero Day Initiative (ZDI) about Patch Tuesday trends. “There’s so many patches from Microsoft; it’s just a record year for them. We’re probably going to disclose a record amount of advisories in the ZDI.”