The number of software vulnerabilities has become overwhelming, and enterprises need to be smart about how they prioritize and address them, according to Qualys CTO Wolfgang Kandek.
"We [saw], unfortunately, lots of vulnerabilities [this year]. Every month, every day you have new vulnerabilities being discovered. It's roughly 2,500 per year," Kandek said during RSA Conference 2015 recently.
While the number of discovered software vulnerabilities has been stable in recent years, those numbers are somewhat misleading, Kandek said, because vendors have adopted more secure software development practices over the last decade. However, he said, we're still finding flaws in widely used applications like Internet Explorer every month. "Theoretically, we should get better. There should be [fewer] vulnerabilities," Kandek said.
The difficulty for security professionals, Kandek said, is what to do with all of the reported software vulnerabilities. Enterprises need some kind of strategy or guidelines for security vulnerability management.
"Ideally you want to fix them all. [But] that is an insurmountable quantity usually," he said. "So the question is: How do you prioritize? Which ones do you address quickly? Which ones do you leave maybe for some kind of roll up that you do every quarter?"
For example, Kandek said, the http.sys vulnerability for Microsoft's Web server is one such vulnerability that needed to be addressed immediately because the flaw was already being exploited. But others, even those from the same Microsoft Patch Tuesday that addressed the http.sys vulnerability, could wait a month or two before being patched.
Luckily, there are some guidelines enterprises can use to narrow down the growing field of software vulnerabilities and to prioritize the flaws that are most pressing for enterprises. For example, Kandek highlighted a recent report from Germany's Federal Office for Information Security that identified the common software and productivity applications with frequently discovered vulnerabilities, such as Adobe Flash, Microsoft Office and Oracle Java. Such guidelines, Kandek said, can help limit the scope of enterprise patching policies to make addressing software vulnerabilities more manageable.