Cyentia Cybersecurity Research Library
  • Sources
  • Tags
  • About
  • Sponsors
  • More from Cyentia

Poor Patching

Below you will find reports with the tag of “Poor Patching”

image from Prioritization to Prediction, Vol. 9

Prioritization to Prediction, Vol. 9

This latest installment of the Prioritization to Prediction research series, created by the Cyentia Institute and sponsored by Cisco (formerly commissioned by Kenna Security), does just that: It explores the KEV and gives some context to what it means (and doesn’t mean) for other organizations. Moreover, we demonstrate how the KEV can fit into any risk-based vulnerability management program. In fact, here are some key findings, but you’ll really want to read the whole report to get the good stuff.

(more available)
Added: August 7, 2023
image from The Fast and the Frivolous

The Fast and the Frivolous

The Fast and the Frivolous uses a massive dataset from SecurityScorecard that spans 1.6 million organizations. We analyze billions of internet-exposed assets to measure the speed of vulnerability remediation over a three-year period. In this report, you’ll find some of the lessons we learned.

(more available)
Added: April 25, 2023
image from Navigating The Paths Of Risk: The State of Exposure Management in 2023

Navigating The Paths Of Risk: The State of Exposure Management in 2023

Our second annual report presents key insights drawn from tens of thousands of attack path assessments conducted through XM Cyber’s exposure management platform during 2022. These assessments uncovered over 60 million exposures affecting 10 million entitles deemed critical to business operations. Anonymized datasets were exported from the XM Cyber platform and provided to Cyentia Institute for analysis.

(more available)
Added: April 10, 2023
image from Open Source Security and Risk Analysis Report 2023

Open Source Security and Risk Analysis Report 2023

In its 8th edition this year, the 2023 “Open Source Security and Risk Analysis” (OSSRA) report delivers our annual in-depth look at the current state of open source security, compliance, licensing, and code quality risks in commercial software. We share these findings with the goal of helping security, legal, risk, and development team better understand the open source security and license risk landscape.

(more available)
Added: February 27, 2023
image from State of Cloud Native Application Security

State of Cloud Native Application Security

As companies embrace cloud native technologies as part of their digital transformation, security is seen as a key factor to building successful platforms. While only 36% of respondents stated that security was one of the main reasons for moving their production applications into containers, 99% of respondents recognize that security as an important element in their cloud native strategy.

(more available)
Added: September 28, 2022
image from Prioritization to Prediction Volume 8: Measuring and Minimizing Exploitability

Prioritization to Prediction Volume 8: Measuring and Minimizing Exploitability

We do two very important and timely things in this report. We first explore ways to measure exploitability for individual vulnerabilities—and far more importantly—entire organizations. Second, we create a simulation that seeks to minimize organizational exploitability under varying scenarios combining vulnerability prioritization strategies and remediation capacity. Bottom line: If you’re looking for proven ways to squeeze the most risk reduction from your vulnerability management (VM) efforts, this report is for you.

(more available)
Added: January 20, 2022
image from Prioritization to Prediction Volume 7: Establishing Defender Advantage

Prioritization to Prediction Volume 7: Establishing Defender Advantage

Do exploit code releases help or harm defenders? We decided to put this hotly contested debate to the test. The seventh volume of the Prioritization to Prediction series produced in conjunction with the Cyentia Institute attacks this debate from all angles. Poring over Kenna Security’s own threat and vulnerability intelligence, anonymized platform data, and Fortinet exploitation data, we analyzed over 6 billion vulnerabilities affecting 13 million active assets across nearly 500 organizations.

(more available)
Added: May 13, 2021
image from Prioritization to Prediction: Volume 6 - The Attacker-Defender Divide

Prioritization to Prediction: Volume 6 - The Attacker-Defender Divide

This sixth volume of the Prioritization to Prediction series combines vulnerability data from Kenna’s customers with additional intelligence from Fortinet and others. This volume provides a quantitative analysis of the timeline of key dates in the lifecycle of an exploited vulnerability, exploring the effects of releasing exploit code relative to the date of CVE publication and patch availability, discussing the ramifications to attackers and defenders.

(more available)
Added: November 18, 2020
image from Persistent Vulnerabilities, Their Causes and the Path Forward

Persistent Vulnerabilities, Their Causes and the Path Forward

Covers the long tail of vulnerability patching, whereby vulnerabilities that are not fixed soon after detection can linger for months or more before being addressed. Makes the case for better prioritization mechanisms.

(more available)
Added: June 5, 2020
image from Prioritization to Prediction: Volume 5

Prioritization to Prediction: Volume 5

P2P Volume 5 focuses on the differences between asset types (OS) and how vulnerabilities are treated on different platforms.

Added: April 21, 2020
image from Prioritization To Prediction Volume 4: Measuring What Matters in Remediation

Prioritization To Prediction Volume 4: Measuring What Matters in Remediation

This research was commissioned by Kenna Security. Kenna collected and provided the remediation dataset to the Cyentia Institute for independent analysis and drafting of this report.

(more available)
Added: September 18, 2019
image from Prioritization To Prediction: Volume 3: Winning the Remediation Race

Prioritization To Prediction: Volume 3: Winning the Remediation Race

From the report, “The Prioritization to Prediction series is an ongoing research initiative between Kenna Security and the Cyentia Institute. The first volume proposed a model for predicting which of the numerous hardware and software vulnerabilities published each month were most likely to be exploited, and thus deserving of priority remediation. The second volume sought to apply and test that theoretical model using empirical data collected on billions of observed vulnerabilities. We ended the last report by analyzing vulnerability remediation timeframes across a sample of 12 firms. This third volume picks up where we left off and expands the analysis to roughly 300 organizations of different types and sizes. We leverage a technique called survival analysis to draw out important lessons about remediation velocity and capacity, concepts we explore and define during the course of this report. Overall, our goal is to understand what it means to survive—nay thrive—in the race of vulnerability remediation.” Read on to find out more.

(more available)
Added: March 16, 2019
image from Prioritization to Prediction: Volume 2: Getting Real About Remediation

Prioritization to Prediction: Volume 2: Getting Real About Remediation

From the report, ““Realized coverage & efficiency vary greatly among firms—over 50% between top and bottom performers—indicating different remediation strategies lead to very different outcomes.” Where is your strategy leading?” Read on to find out more.

(more available)
Added: March 16, 2019
image from Monthly Threat Round-up: September 2017

Monthly Threat Round-up: September 2017

From the report, “Welcome to the Monthly Threat Roundup report for Sept 2017. At Paladion CTAC we continuously track emerging threats and vulnerabilities and provide you timely actionable intelligence to stay safe. We provide threat related IOC for auto-download that can be directly integrated with your security devices. We also provide advisories on how to prevent, detect and respond to latest attacker techniques. This report summarizes the key observations and analysis done by the CTAC team. It also includes insights and analysis related to global threats and incidents of the past month. "

(more available)
Added: March 7, 2019
image from CISO Guide: Measuring and Enhancing Enterprise Cyber-Resilience

CISO Guide: Measuring and Enhancing Enterprise Cyber-Resilience

How is cyber-resilience defined and measured? How are breach risk and cyber resilience related, and what is the best way to improve cyber-resilience for an enterprise? This paper will answer these questions and shed light on steps you can take to improve the cyber-resilience of your enterprise.

(more available)
Added: March 7, 2019
image from State Of Software Security Volume 9

State Of Software Security Volume 9

“For a long time now, SOSS has provided a reliable yardstick for the most common vulnerabilities found in software, as well as how organizations are measuring up to security industry benchmarks throughout the software development lifecycle (SDLC). One thing we’ve always wanted to understand better, though, is how quickly these organizations are actually fixing flaws once they’ve been identified in application security scans. This year, we turned our data analysis up a notch by working with the data scientists at Cyentia Institute, so that we could gain better visibility into the factors that go into fixing flaws. Readers will find valuable insight on how factors like flaw severity, business criticality of applications, and exploitability of the flaws change the rate at which certain vulnerabilities are fixed.”

(more available)
Added: November 4, 2018
image from 2016 Vulnerability Statistics Report

2016 Vulnerability Statistics Report

This document discusses the vulnerabilities discovered by edgescanTM over the past year – 2016. The vulnerabilities discovered are a result of providing “Fullstack” continuous vulnerability management to a wide range of client verticals; from Small Businesses to Global Enterprises, From Telecoms & Media companies to Software Development, Gaming, Energy and Medical organisations. The statistics are based on the continuous security assessment & management of over 57,000 systems distributed globally.

(more available)
Added: October 26, 2018
image from Demystifying Vulnerabilitiy Management

Demystifying Vulnerabilitiy Management

This report takes a close look at vulnerability management and seeks to make it a far simpler task.

Added: October 26, 2018
image from Website Security Statistic Report

Website Security Statistic Report

From the report, “Rather than provide a lengthy analysis of the data in this Stats Report in this introduction, we’ve decided instead to provide some “what this means to you” commentary at the end of the three main sections of the report; commentary that attempts to make the data relevant to Executives, Security practitioners and DevOps professionals. Security is a concern that spans multiple teams in an organization – from the board and C-suite, to IT and development teams, to the security team and beyond – and the data in this report will mean different things to these different audiences.”

(more available)
Added: October 20, 2018
© Cyentia Institute 2025
Library updated: June 24, 2025 00:08 UTC (build b1d7be4)