2024 Vulnerability Statistics Report
The 2024 Vulnerability Statistics Report is our 9th edition. It provides a statistical model of the most common weaknesses faced by organizations worldwide, enabling data-driven decisions to manage risks and exposures more effectively.
Never compromise threat protection.
2024 Vulnerability Statistics Report
The latest insights from our 2024 report highlight critical trends and findings in web application security, emphasizing the ongoing challenge organizations face in managing vulnerabilities. This year’s report extends our exploration into Risk Density, Mean Time to Remediate (MTTR) for critical vulnerabilities, and the integration of vulnerability management with penetration testing insights. It underscores the significance of comprehensive visibility in mitigating risks and the imperative of regular patching and maintenance to defend against exploitable vulnerabilities. Moreover, the report accentuates the value of Risk-Based Vulnerability Management, which considers the criticality of assets to prioritize risks effectively. It delineates the distinction between mere compliance and robust security.
Interesting findings include:
- The persistence of SQL Injection as the foremost critical severity vulnerability in web applications since 2022 signifies its position as a primary threat vector.
- Out of all the vulnerabilities detected, 19.47% were classified as high or critical severity.
- In 2023, Cross-Site Scripting (Stored) emerged as the second most prevalent High/Critical Security Vulnerability, constituting 10.5% of all such vulnerabilities and averaging 100 man-days for remediation.
- Malicious File Upload ranked as the third most common High/Critical Severity Vulnerability in 2023, accounting for 7.25% of these vulnerabilities with an average remediation time of 117 man-days.
“As a society we need to focus on what matters and execute more efficiently.
In cybersecurity context is king given the endgame is to prevent and detect breaches. Compliance gives us strong guardrails but context is what stops us smashing up against them. This years report certainly depicts we need to fix the “right vulnerabilities” more quickly and reduce our window of exposure.
Leveraging metadata from independent sources such as EPSS and CISA KEV can greatly reduce the window of exposure and I hope such frameworks will become commonplace. Hopefully 2024 will see the dial move further in a positive direction as such context is leveraged.”
— Eoin Keary, CEO & Founder
Take a look back on previous editions of the report:
Overview of the Edgescan Vulnerability Stats Report
Since 2015 Edgescan has annually produced the Vulnerability Statistics Report to provide a global snapshot of the overall state of cybersecurity. The report presents a by-the-numbers insight into trends and statistics looking back across a 12-month data set from the previous year, including cyber threats, data breaches, and cyber attacks. Every year the report provides a statistical model, that is presented using infographics and charts, of the most common weaknesses faced by enterprises to enable data-driven decisions for managing risks and exposures more effectively.
This yearly report has become a reliable source for approximating the global state of vulnerability management. This is exemplified by our unique dataset being part of the Verizon Data Breach Report (DBIR), which is the de facto standard for insights into the common drivers for incidents and breaches today.
Methodology of Data Collection
The vulnerability data analyzed for the Edgescan Vulnerability Statistics Report was collected from thousands of security assessments and penetration tests performed on millions of assets; this growing collection of intelligence is stored in our data lake and shared amongst the solutions that comprise the Edgescan Platform.
Vulnerability data was sourced from over 250 companies of various sizes, Fortune 500 to medium and small businesses, across 30 industry verticals.
Contact us for more information on how Edgescan can help secure your business.