What can be said about 2020 that hasn’t been said already? It definitely was a year where things happened and there certainly were several of those things that involved security. Looking across the vulnerability landscape, we see that more than 176,447 CVEs were reported.
Within the Red Hat portfolio, we identified 2,040 unique CVEs that impacted components we supply and support. This was far-and-away the highest volume of CVEs we’ve fixed in any calendar year on record. This translates to a significant amount of work an operator or administrator needs to do in order to keep their systems running at peak patch levels.
We understand that most enterprises do not run exclusively on Red Hat products and services, and for someone that is responsible for a heterogeneous environment that has a melange of technologies to keep updated, it can seem like a Herculean task.
This is why we issue Red Hat Severity Scores with each vulnerability, along with our CVSS scoring and CWE analysis. Every security issue has some level of importance to deal with, but some issues have higher likelihoods of being exploited or have higher consequences if they were.
It is interesting to note that over the years we’ve actively tracked and reported on issues impacting our software to see the change in distribution of the severity of issues. The volume of Critical and Important issues that we consistently address across the whole portfolio have remained generally flat, with a slight uptick in 2020, but are nowhere near “record levels.” Red Hat Engineering addressed Critical issues across the portfolio with great speed. In 2020, 31% of CVEs that we rated as Critical were addressed and had patches for consumers within one business day. A total of 89% had fixes within one week and a full 100% were addressed within one month of public disclosure.
Overall, the volume of issues we patched was 1.5 times higher than we had in 2019, with the average and median delivery times being down. This translates to faster availability of security updates.
The volume of Moderate security flaws that were fixed in 2020 alone was more than all the vulnerabilities Red Hat fixed back in 2011, 2012, 2013, and 2014 (plus we fixed 460 Low severity issues as icing on that cake). This was a 3x increase in volume across the board since 2011...what do the next nine years hold? Only time will tell.
Reducing security risks requires effective management programs
As systems get more complex, the key to reducing your risks associated with them is to have effective patch and vulnerability management programs in effect and to minimize the attack surface if you present a malicious or curious actor.
It is worth noting that when default security features are disabled (like turning SELinux off for example, which if you did would make Dan Walsh cry), the risk profile of that system is drastically altered, opening up the potential for additional security risks and impacts. Good security hygiene, timely patch management, and appropriate access controls and logging can go a very long way preventing the next terrible media headline from impacting you.
We hope you’ve enjoyed this series of blogs around our 2020 Product Security Risk Report. Each of these articles has expanded upon a concept covered within the report, so if you liked the blogs, please read the full report to learn more.
저자 소개
Christopher Robinson, better known as CRob to his colleagues, is a former Product Security Program Architect at Red Hat.
채널별 검색
오토메이션
기술, 팀, 환경을 포괄하는 자동화 플랫폼에 대한 최신 정보
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
클라우드 서비스
관리형 클라우드 서비스 포트폴리오에 대해 더 보기
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.