CVE = publicly documented Cybersecurity Vulnerability & Exposure

As new technology surfaces such as IoT, hi-tech cars, smartphones, etc., brand new categories for patching and security are surfacing.  The ISC highlights a record year in 2017 of 14,860 published security holes.  2018 is forecast to be an equally challenging year as well. 

https://isc.sans.edu/forums/diary/2017+The+Flood+of+CVEs/23173/

https://cve.mitre.org/about/faqs.html

2017 is almost done and it’s my last diary for this year. I made a quick review of my CVE database (I’m using a local CVE-search instance). The first interesting number is the amount of CVE’s created this year. Do you remember when the format was CVE-YYYY-XXXX? The CVE ID format changed in 2014 to break the limit of 9999 entries per year. This was indeed a requirement when you see the number of entries for the last five years:

2017 … 14,680
2016 … 6,447
2015 … 6,480
2014 … 7,946
2013 … 5,191

If more and more organizations are taking security into consideration, how to explain this peak of reported vulnerabilities? First, I think that, in parallel to organizations focusing on security, “attackers” are also more and more active. Not only bad guys who are always looking into ways to make more profit but also students and security researchers. In Europe, offensive security trainings are very popular. People like to learn how to “break stuff”.