Shortcomings with CVE-overreliance and flaws in security scoring systems

The "State of EASM 2023" report by Detectify provides insights into the state of attack surfaces across a diverse range of industries, highlighting the limitations of relying solely on established vulnerability frameworks like CVEs. The data from 235 companies across 30 countries reveal that most vulnerabilities identified do not have a CVE assigned, underscoring the need for organizations to prioritize threats based on accurate and context-specific assessments. The report emphasizes that security teams often focus on vulnerabilities without available exploits, missing significant threats, and stresses the importance of leveraging crowdsourced research for a more comprehensive security posture. Common vulnerabilities identified in 2023 include SSL/TLS Hostname Mismatch and SQL Injection, with the Banking & Financial Services and Public Sector industries experiencing the highest share of critical-severity vulnerabilities. Looking ahead to 2024, the report predicts a continued evolution in threat prioritization, increased reliance on high-fidelity findings, continued growth in crowdsourced research, and a need for ongoing market education to effectively integrate External Attack Surface Management (EASM) into existing security strategies.