Study sees no rise in zero-days for 2015

It’s rare to find much good news when it comes to vulnerabilities, but if you’re looking for a silver lining, this could qualify.

The annual Flexera Software Vulnerability Review has found there was no increase in zero-day vulnerabilties in 2015. Exactly as many were found (25) as in 2014.

The data was based on an analysis of more than 50,000 applications that were scanned for security violations by vendor Secunia.

For its purposes, Flexera defines a zero-day as a vulnerability that is actively being exploited by hackers before it’s publicly known – a standard definition, so you know there’s no fudging of the numbers there.

Other areas holding steady

In other good news, companies are continuing a trend of fixing vulnerable products quickly. Flexera found that 83.6% of companies had a patch available for vulnerable products the same day the vulnerability was exposed. In 2014, 82.8% had patches available the same day.

This is a far cry from just a few years ago when only half of vulnerabilites were patched same day in 2010.

The downside: 84.7% of vulnerabilities had a patch after 30 days. So if a patch wasn’t available within 24 hours, most companies didn’t bother patching it for quite some time – if at all.

Apps must be patched

Surveys like this one highlight a very important point: If your application vendors aren’t patching vulnerabilities, it’s time to find a new vendor.

While some of these vulnerabilities are not critical or even all that dangerous, many could be. So it’s essential to check not only how secure products are when you procure them, but also how quick the vendor is to react if there is a problem.

One good resource: the Common Vulnerabilties and Exposures (CVE) dictionary. It has historical information on vendors’ past vulnerabilities and the status of their fixes.