The global software industry is being affected by a rising tide of bugs and security vulnerabilities, with each of the past five years setting a new record for the number of flaws catalogued.
In what is becoming a growing challenge for the cyber security industry, 2021 saw 20,142 unique bugs and security vulnerabilities recorded – up almost 10 per cent from the 18,351 recorded in 2020.
The rise in exploits is reflected in a rising number of vulnerable products as technology has proliferated.
There was a total of 25,223 different software products affected by at least one vulnerability in 2021, up from 24,342 in 2020. But the number of vulnerabilities with high overall severity declined slightly, from 4,378 to 4,063, marking the first decrease in five years.
To conduct the analysis Spotlight downloaded all historical common vulnerabilities and exposures (CVE) data from the US National Institute of Standards and Technology’s (Nist) National Vulnerability Database (NVD), which provides data on each vulnerability since 2002.
Nist defines a vulnerability as “a weakness in the computational logic (e.g. code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity or availability”. These vulnerabilities are often reverse-engineered by hackers and cyber crime syndicates in order to exploit them.
The figures show that the most common way an attacker can exploit a vulnerability has been through a network. Around 69 per cent of vulnerabilities so far in 2022 were exploitable in this manner, up from 66 per cent in 2021.
This was followed by local vulnerabilities, where an attacker would need access to the system in order to exploit it (these made up 28 per cent of vulnerabilities in 2021, and 21 per cent so far this year).
More often than not, attackers are able to exploit a software vulnerability in a system without the unwitting help of a human user. However, around a third of the vulnerabilities required action on the part of a human in order to be successfully exploited (for example, a system administrator installing some software).
One trend in recent years has seen the complexity of attacks decrease. In 2021, 94 per cent of attacks were considered “low complexity” – up from 88 per cent in 2020. A low-complexity attack means that an attacker is likely to be able to successfully repeat any exploit easily, whereas a high-complexity attack means they are often relying on circumstances outside their control.