Rezilion and Ponemon Institute announced the release of “The State of Vulnerability Management in DevSecOps,” which reveals that organizations are losing thousands of hours in time and productivity dealing with a massive backlog of vulnerabilities that they have neither the time or resources to tackle effectively.
The finds 47% of security leaders report that they have a backlog of applications that have been identified as vulnerable. 66% say their backlog consists of more than 100,000 vulnerabilities and 54% say they were able to patch less than 50% of the vulnerabilities in the backlog. Thus, 78% of respondents say high-risk vulnerabilities in their environment take longer than 3 weeks to patch, with 29% noting it takes them longer than 5 weeks to patch.
Among the factors that keep teams from remediating are an inability to prioritize what needs to be fixed (47%), a lack of effective tools (43%), a lack of resources (38%), and not enough information about risks that would exploit vulnerabilities (45%). 28% also said remediation is too time-consuming.
Expensive and time-consuming hours are lost trying to wrangle massive backlogs on both the production and development side of software applications. The survey finds 77% of respondents say it takes longer than 21 minutes to detect, prioritize, and remediate just one vulnerability in production. This represents more than an hour of time spent on one vulnerability on the production side.
On the development side, more than 80% of organizations spend longer than 16 minutes to detect one vulnerability in development. Prioritization and remediation times are also long as 82% of respondents say it takes longer than 21 minutes to remediate one vulnerability in development and 85% say it takes longer than 16 minutes to prioritize one vulnerability in development.
“This is a significant loss of time and dollars spent just trying to get through the massive vulnerability backlogs that organizations’ possess,” said Liran Tancman, CEO of Rezilion, which sponsored the research. ”If you have more than 100,000 vulnerabilities in a backlog, and consider the number of minutes that are spent manually detecting, prioritizing, and remediating these vulnerabilities, that represents thousands of hours spent on vulnerability backlog management each year. These numbers make it clear that it is impossible to effectively manage a backlog without the proper tools to automate detection, prioritization, and remediation.”
Overall, a majority of respondents say it is either very difficult (36%) or difficult (25%) to remediate vulnerabilities in applications.
“We now have the data to track how much time vulnerabilities are stealing from teams across the software development life cycle (SDLC) and we know that it is a process that is not working effectively,” said Tancman. “Backlogs cannot continue to be closed in this manner because it extends the attack window for threat actors to exploit unpatched, exploitable vulnerabilities.
There are some tools and strategies that businesses are relying on with success to move the needle on backlog management. For example, 56% said they use automation for vulnerability remediation and, of those who do, most say it has yielded significant benefits. When asked how automation has impacted the time it takes to remediate vulnerabilities, 43% said there was a significantly shorter time to respond.
“Security teams and developers clearly need prioritization and automation to make their patching efforts more timely and efficient,” said Tancman.