Experts have predicted that a record-breaking 50,000 CVEs will be uncovered in 2025. This potentially marks an 11% increase on 2024 and may be more than six times the volume of CVEs discovered in 2023.
This upward trend is undoubtedly caused by an increase in the volume of software developed today. Many of these vulnerabilities will also be harmless, with low severity ratings and straightforward patches.
But then there are the ones that will impact organisations globally: the Zero Days criminals and nation state actors will exploit to spy on organisations and governments. There will also be the high-severity flaws that demand urgent patching, leaving security teams working through the weekend because they threaten the solvency of the organisations they are hired to protect.
Software is complex and no piece of technology will ever be perfect, so vulnerabilities will always exist, but one question must be answered: Why do the same technology vendors keep being impacted by the same volume and class of vulnerabilities in their products year after year?
CISA Top 15 Routinely Exploited Vulnerabilities
Every year the Cybersecurity and Infrastructure Security Agency (CISA) publishes a list of the top 15 most exploited vulnerabilities.
The list shares details on the CVEs, provides recommendations on mitigation and details which software vendors the CVEs affect.
The software vendors are typically the same every year, with long standing appearances from the biggest organisations in technology and security. This begs the question, why are the very vendors organisations adopt to protect their data the very vendors that appear at the top of CISA’s list every year?
VPNs, which are marketed to prevent malicious access often exhibit vulnerabilities which facilitate it. Firewalls and gateway products are routinely shipped with vulnerabilities which provide root or privileged access to systems for criminals to exploit.
This raises a worrying failing.
If the foundation on which our security is built is insecure, how can organisations ever stand a chance of being secure themselves?
Regulations don’t drive resilience
Earlier this month, the UK government announced its proposal on the forthcoming Cyber Security and Resilience Bill. The proposal stated the government’s intent to regulate more industries and better protect complex chains, while it reinforced the need for organisations to adopt security best practices.
Closely followed in its wake was the release of the UK government’s annual Cyber Breaches Survey. The survey unveiled the status of organisational security across the UK, highlighting that many organisations are still not getting the basic security best practices right, while reinforcing the importance of their adoption.
But, in reality, no regulation or recommendation from the government on cyber will ever be enough. Organisations have no real chance of protecting their environments when the products that support them are inherently insecure.
Ransomware is undoubtedly today’s most damaging and prominent threat.
Data recently revealed that an estimated 60% of UK small businesses end their operations after falling victim to a ransomware attack. While phishing is generally the initial access route criminals will take before dropping ransomware, recent studies show that vulnerability exploits now keep pace with phishing as an initial point of compromise.
This means that criminals are exploiting vulnerabilities in common software to gain access to an organisation’s network, before dropping ransomware and executing devastating, costly, and often business-ending attacks.
But why do organisations continue to face the financial penalties from ransomware while the software vendors, whose products possess the vulnerabilities attackers exploit to compromise organisations, get off unscathed?
Clearly something is not right.
Until we can make better, more secure products, which don’t expose organisations to attacks, no regulation will ever be enough to achieve resilience.
Therefore, to drive real change, should the government be doing more to encourage vendors to make better, more secure products, that don’t compromise their customers’ defences?
The government has long advocated secure-by-design development approaches, but does this mean they need to place more pressure on the technology industry to adopt the principles? Given that much of the UK’s critical infrastructure is built using the technology components that frequently appear on CISA’s top 15 list, the country has a lot at stake.
The route to resilience
Recurring defects in security products are unacceptable. If this they were continuously found in a physical product, the product would be recalled, and the vendor would be held liable for damages. So, why is it different for software vendors who repeat the same failures year after year?
Holding software vendors and their leadership accountable is essential to building better, more secure products. If large security vendors can’t get security right, what chance do other businesses have?
Unless the government changes focus and addresses why security vendors fail to build secure products, regulations will be ineffective and the route to resilience will be long, complex and completely unachievable.
At SecureAck, we focus on building solutions through automation to help organisations protect their environments at the scale required in today’s threat landscape.
