Rezilion Researchers Find 85% of Vulnerabilities Pose No Risk
The number of newly discovered software vulnerabilities is constantly on the rise, and organizations are struggling to keep up with patching efforts. This is leading to a growing vulnerability backlog and slowing down development and the release of new products.
But this growing backlog and the stress it causes is unacceptable. There’s a new way to manage vulnerabilities. New research from Rezilion shows that only a small percentage of discovered vulnerabilities are loaded into memory and therefore exploitable. An attacker can’t exploit a vulnerability in a package that isn’t being loaded to memory.
These findings have major implications for security teams, which can focus their limited resources on the vulnerabilities that actually pose a real threat of exploitation. They can save development time as well as avoid delays in getting releases out the door.
Based on an analysis of 20 of the most popular container images, the Rezilion research shows that on average, only 15% of the vulnerabilities are actually loaded to memory and hence exploitable. In other words, 85% of the vulnerabilities are not exploitable by bad actors and pose no serious or immediate threat.
A Game Changer for Security and Developers
If a security team prioritizes remediation efforts based on traditional approaches to vulnerability management, it would spend upward of 85% of its time and effort on vulnerabilities that posed no risk to the organization’s environment. That’s a significant waste of time and resources.
An analysis of base operating system images from the three major cloud providers—Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP)—shows that on average only about 20% of the vulnerabilities in those images are actually loaded to memory and therefore exploitable.
This research offers insight into how organizations can use runtime analysis to prioritize remediation of vulnerabilities and not be daunted by the growing backlog. Only a small percentage of discovered vulnerabilities are loaded to memory and therefore exploitable. An attacker can’t exploit a vulnerability in a package that isn’t being loaded to memory. Therefore, organizations can focus their limited resources on the vulnerabilities that actually pose a real threat of exploitation and patch accordingly. This level of knowledge and prioritization also saves development time as well and prevents time to market delays.
To learn more, download the report at https://www.rezilion.com/runtime-analysis-research. Get a free trial of Rezilion’s platform to identify all vulnerabilities present in a given software environment and validate their exploitability. Sign up instantly at Rezilion.com/get-started.
