16.3 C
Casper
Sunday, May 26, 2024

CISA Performance Goals Program Trims Exploited CVEs

Must read

Organizations enrolled in the agency’s vulnerability scanning program show improved security, but reducing exploitable internet-facing services is incremental.

CISA launched the CPG program as a voluntary roadmap to help small- and medium-sized organizations improve their security postures through achievable improvements. 

The security improvements were measured across 3,500 organizations enrolled in CISA’s vulnerability scanning service before April 1, 2022. By June of this year, CISA said the number of enrolled organizations surged almost 70%, with more than 5,900 organizations enrolled.

The Known Exploited Vulnerabilities Catalog is a list of security vulnerabilities that are actively being used for attacks in the wild. CISA measured the average number of KEVs present per entity’s environment.

In April 2022, not long after the launch of CISA’s Shields Up campaign, there were about 0.58 KEV’s per entity, with the number showing irregular movement until October 2022, when it reached 0.49 KEV’s per entity. 

Since last November, there has been a steady reduction in known vulnerabilities, with 0.30 per entity by June, according to CISA data. 

“The early indicators of CISA reports are encouraging,” said Brian Fox, co-founder and CTO of Sonatype. However, he cautioned there was some selection bias due to the organizations being enrolled in the scanning service.

“From my perspective, the larger problem has always been that the majority of the market is not paying enough attention to this problem,” Fox said. 

He noted that 30% of Log4j downloads are still of the vulnerable versions two years after the initial disclosures.

More articles

Latest news