Most Organizations Have Incomplete Vulnerability Information
A new report by Risk Based Security shows that organizations need to get their vulnerability information from more sources than just the Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD) systems if they want to identify all flaws in their environment. This year alone, researchers with the firm have discovered close to 6,000 vulnerabilities that have not been entered in the CVE and NVD systems. 18.4% of those flaws were critical, while 43.5% were high risk issues.
Risk Based Security estimates that the average organization will miss 33% of flaws in its environment if it only looks at CVE/NVD data, leading vice president of vulnerability intelligence Brian Martin to conclude that “organizations that rely on vulnerability intelligence are dealing with an alarming number of issues that impact all parts of their infrastructure.”