Despite Sharp Increase in Number of Vulnerabilities, Fewer Pose High-Risk Year-Over-Year Since 2011, Kenna Security Finds

Dec 10, 2020

Share with Your Network

Kenna Security marks 10-year anniversary with a review of the decade’s changing vulnerability landscape 

SAN FRANCISCO, Calif., December 10, 2020 — How has the vulnerability landscape changed over the past decade? Coinciding with the company’s 10-year anniversary, Kenna Security, the enterprise leader in risk-based vulnerability management, has released a data-driven review of the vulnerability trends and risks that have shaped cybersecurity over the past decade. 

“So much of cybersecurity has changed over the past decade, but one thing has stayed the same: it involves running from one crisis to another,” said Ed Bellis, founder and CTO of Kenna Security. “It’s rare for practitioners to have a chance to look back and see how their jobs have changed. But major shifts over the past decade can provide new clues about what the future holds for cybersecurity.” 

The number of total vulnerabilities discovered per year has exploded from 4,100 in 2011 to more than 17,500 in 2020. Yet the proportion of vulnerabilities that hackers have been willing or able to weaponize has not kept pace. While the overall volume of vulnerabilities reported each year has quadrupled, the percentage of newly discovered vulnerabilities that have been exploited in the wild has declined to just 0.38 percent from a high of 1.64 percent in 2012. 

And yet, CVSS, a commonly used metric that some enterprise security teams use to prioritize vulnerability management, does not offer clarity. Over 13 percent of CVEs have a CVSS score of 9 or greater, even though the vast majority have never been exploited in the wild.  

Kenna Security’s analysis also found:

  • Just 0.18 percent of vulnerabilities – a total of 171 – have a Kenna Risk Score of 100, representing the highest risk vulnerabilities from the past ten years. They have an average CVSS score of 9.
  • Numerous vulnerabilities with a Kenna Risk Score of 100 have CVSS scores that are far lower. In fact, the average CVSS score for this class of critical vulnerabilities in 2018 was 7.6 in 2018, and it was 8.7 in 2017.
  • There’s also been a shift in the vendors whose products often have vulnerabilities with a 100 Kenna Risk Score. Between 2011 and 2014, vulnerabilities affecting Adobe, Oracle Java, Microsoft Internet Explorer, and Mozilla dominated the list. Recently discovered critical vulnerabilities, which tend to focus on cloud platforms and servers, affect a more diverse set of products and vendors. 
  • More than one-in-four vulnerabilities involved remote code execution, while nearly one-in-five involved denial of service.

Over the past ten years, Kenna Security has made several major contributions to the cybersecurity community, including the Exploit Prediction Scoring System, a free tool that helps companies assess the danger of individual vulnerabilities. The company’s Prioritization to Prediction series, now in its sixth volume, has leveraged Kenna’s unique dataset to show that companies have the capacity to mitigate just one out of every ten vulnerabilities.

“We founded Kenna a decade ago because CISOs and their security teams were overwhelmed by the number of vulnerabilities on their systems and the lack of rational and effective ways to manage them,” continued Bellis. “Now as we look back on the last ten years, it’s clear that the challenge has only grown. But there is light at the end of the tunnel. Approaching this challenge with data science and a focus on risk can level the playing field for CISOs. This has made modern vulnerability management more manageable and efficient.”

Additional Resources

About Kenna Security

Kenna Security is the enterprise leader in risk-based vulnerability management. The Kenna Security Platform enables organizations to work cross-functionally to determine and remediate cyber risks. It leverages machine learning and data science to track and predict real-world exploitations, empowering security teams to focus on what matters most. Headquartered in San Francisco, Kenna serves nearly every major vertical and counts CVS, KPMG, and many Fortune 100 companies among its customers.


Media & Analyst Contact: 
Matt McLoughlin
Gregory FCA for Kenna Security
Phone: 609-385-2058

© 2022 Kenna Security. All Rights Reserved. Privacy Policy.