{"id":383825,"date":"2020-11-18T08:03:13","date_gmt":"2020-11-18T13:03:13","guid":{"rendered":"http:\/\/www.marketnewsdesk.com\/?p=383825"},"modified":"2020-11-18T08:03:13","modified_gmt":"2020-11-18T13:03:13","slug":"responsible-exposure-on-average-attackers-gain-47-day-advantage-when-exploits-predate-patches-according-to-kenna-security","status":"publish","type":"post","link":"https:\/\/www.marketnewsdesk.com\/index.php\/responsible-exposure-on-average-attackers-gain-47-day-advantage-when-exploits-predate-patches-according-to-kenna-security\/","title":{"rendered":"Responsible Exposure? On Average, Attackers Gain 47-Day Advantage when Exploits Predate Patches, According to Kenna Security"},"content":{"rendered":"

\nNew Research Fuels the Debate on Vulnerability Disclosure and Exploit Development
\n<\/h2>\n
\n

SAN FRANCISCO, Nov. 18, 2020 (GLOBE NEWSWIRE) — New research into what happens after a new software vulnerability is discovered provides an unprecedented window into the outcomes and effectiveness of responsible vulnerability disclosure and exploit development. The analysis of 473 publicly exploited vulnerabilities challenges long-held assumptions of the security space – namely, disclosure of exploits before a patch is available does not create a sense of urgency among companies to fix the problem.<\/p>\n

The research was conducted by Kenna Security<\/a><\/u>, the enterprise leader in risk-based vulnerability management, and the Cyentia Institute<\/a><\/u>. It examines how the common practices among security researchers impact the overall security of corporate IT networks. The analysis found that when exploit code is made public prior to the release of a patch, cybercriminals get a critical head start. At the same time, when exploits are released before patches, it takes security teams more time to address the problem, even after the patch is released.<\/p>\n

\u201cThe debate over responsible disclosure has existed for decades, but this data provides an objective correlation between vulnerability discovery, disclosure, and patch delivery for the first time ever,” said Ed Bellis, founder and CTO of Kenna Security. \u201cHowever, the results raise several questions about responsible exposure, demonstrating that the timing of exploit code release can shift the balance in favor of attackers or defenders.\u201d<\/p>\n

Whether exploit code is released first or a patch is released first, the research found that there are periods of time when attackers have the momentum and when defenders have momentum – a reflection of the fact that no matter when a patch is released, some companies simply don\u2019t or can\u2019t install it before attackers make their move. For approximately nine of the 15 months studied in this analysis, attackers were able to exploit vulnerabilities at a higher rate than defenders were patching, while defenders had the upper hand for six months.<\/p>\n

At the heart of the vulnerability disclosure practice is a mix of competing incentives for software publishers, IT teams, and the independent security researchers that find software vulnerabilities. When a vulnerability is found, researchers disclose its existence and the relevant code they used to exploit the application. The publisher sets about creating a patch and pushing the patch to its user base. Occasionally, however, software publishers don\u2019t engage, declining to create a patch or notify users of a vulnerability.<\/p>\n

In these cases, researchers will publicly disclose the vulnerability to warn the larger community and spur the publisher to take action. Google, for example, tells software publishers that it will release details of the vulnerabilities it discovers within 90 days of notification, except in a few scenarios.<\/p>\n

To examine this industry practice, researchers at the Cyentia Institute relied on data from Kenna Security, and multiple independent data sources. The team examined 473 vulnerabilities disclosed in 2019 with evidence of exploitation in the wild.<\/p>\n

The analysis also found that:<\/p>\n