You’ve probably heard of Heartbleed, you’ve seen Shellshock, and the press were all over POODLE. But even within the information security sector, it’s easy to underestimate just how dangerous application vulnerabilities are.
By design, you need to give a wide range of applications access to your systems. Some of them connect with crucial databases. Others could persistently go online to send and receive up-to-date information. But when these applications are vulnerable to attack, that access can be quickly turned against you.
Fortunately, there’s a window of opportunity to defend your data. A chance to eliminate application vulnerabilities before attackers have the chance to exploit them.
Unfortunately, not every organisation is making the most of that opportunity to protect themselves.
Application vulnerabilities are far from a niche issue. The Secunia Vulnerability Review 2015 shows the number of vulnerabilities detected increase 55% in the past five years.
Many of these vulnerabilities are found in Microsoft applications. These are typically covered by Windows Update, dependent only on Microsoft’s ability to develop and deliver a patch that eliminates the vulnerability. However, application vulnerabilities are not limited to Microsoft operating systems and applications.
Non-Microsoft, or third-party application vulnerabilities are an equally serious threat and, in the absence of routine security updates, they are potentially even more dangerous. From browsers to PDF readers and utilities, third-party software typically lacks the centralised governance that administrators depend on to fix application vulnerabilities efficiently.
In 2015, a portfolio of the top 50 most common endpoint applications was assessed for known vulnerabilities. 1,348 vulnerabilities were uncovered, across 17 products from 7 different vendors.
Potentially, those are 1,348 opportunities for an organisation to come under attack. The scale of the problem is huge.
So why do businesses leave themselves exposed?
Over the next few weeks, we’ll be looking in-depth at what gets in the way of businesses and robust patch management.
We’ll discuss common misconceptions about application vulnerabilities and where they fit into your wider security concerns. We’ll look at the overwhelming challenges businesses face before they can even begin to look for known vulnerabilities. And we’ll explain how the right tools can make the task of patch management more manageable.