Shortcomings with CVE-overreliance and flaws in security scoring systems

It’s nearing the end of 2023, and we’ve recently published a report, “State of EASM 2023”, offering insights into the state of attack surfaces across a sample of our customer base. The report takes anonymous and aggregated Detectify data to explore the state of External Attack Surface Management within our customers.

The data set includes:

• 235 companies & organizations, including large enterprises and mid-market companies from across a range of industries.
• 60% of our mid-market and enterprise customer base (excluding our self-service users). This data contains a sample of customers with a new vulnerability since 1st of June this year.
• 361,028 vulnerabilities – the total number of vulnerabilities found across the attack surfaces of our sample.
• 30 countries – we used a representative sample of our customer base to gather geographical insights regarding company size and industry.

What did we learn from this?

For starters, it’s no surprise that the findings revealed that organizations’ most prominent threats during 2023 are vulnerabilities not covered by common disclosure processes, like CVEs.

Detectify CEO Rickard Carlsson has been talking about this for some time  – his article on the trouble with CVEs and vulnerability management in modern tech stacks demonstrates the risks associated with an overly reliant approach to established methods. And this was again evident in the data we collected for our report. 

“Security teams spend valuable time on vulnerabilities that often don’t even have an exploit available while significant threats are overlooked,” Rickard says. “Effective prioritization will be key in 2024; organizations must reduce their vulnerability backlog by leveraging solutions that offer highly accurate findings and integrate their unique business context into the equation. One-size-fits-all strategies don’t fit the bill”. 

We also learned that 75% of the total vulnerabilities regularly scanned by Detectify, primarily crowdsourced from its community of ethical hackers, didn’t have a CVE assigned. This again reflects how over-reliance on frameworks like the CVE program weakens organizations’ security posture and gives them an unrealistic sense of security.

Security teams spend valuable time on vulnerabilities that often don’t even have an exploit available while significant threats are overlooked

– Rickard Carlsson, CEO, Detectify

Furthermore, no critical findings were present in the Top 30 vulnerabilities for SaaS customers (as defined by the public security scoring system CVSS) used in the sample, again showcasing  how score-based frameworks fail to help security teams comprehend the actual level of risk posed by threats in the modern AppSec stack, particularly in an industry that has one of the largest volumes of threats. 

What were the most common vulnerabilities of 2023?

The report also outlines the most common vulnerabilities found across organizations’ attack surfaces in 2023 include SSL/TLS Hostname Mismatch, Expired Certificate, Path-based XSS, CVE-2021-40438 (Apache mod_proxy SSRF), and HTTPS/HTTP Mixed Content.

We also learnt that The Banking & Financial Services and Public Sector industries have experienced the largest share of critical-severity vulnerabilities due to their aggressive modernization efforts. SQL Injection was the most common critical threat for these industries, which may be attributed to the sensitivity of the data they store and how it’s frequently targeted by attackers.

What’s ahead for 2024?

Aside from CVSS continuing to be unrepresentative of the true risk vulnerabilities represent, here’s what else is ahead for 2024: 

Prioritization based on high-fidelity assessments:
The prioritization of threats will continue evolving to rely on security teams trusting their tools to generate high-fidelity findings and effectively integrate those into their workflow to speed up remediation.

Leveraging the power of crowdsourced research:
We’ll continue seeing strong growth in the demand for solutions that crowdsource security research. Research from ethical hackers proves its value in democratizing and streamlining the response to threats, surpassing the limitations of established disclosure processes, as highlighted in our report.

A continued need for market education:
Security teams must continue to educate themselves on how EASM can complement their organization’s existing security stack, particularly around how EASM can fill the gaps missed by AppSec tooling.

Dive into the details of the report