Nearly half (47%) of IT and IT security practitioners said their organizations are yet to patch several application vulnerabilities, discovered as long as 12 months ago. According to findings from Rezilion’s The State of Vulnerability Management in DevSecOps, the vulnerability backlog exists due to a lack of appropriate prioritization and other factors.
Risk management goes hand-in-hand with prioritizing what security gaps need to be addressed first. However, Rezilion found that 45% of IT and IT security practitioners don’t have enough information about vulnerabilities, 43% lack the right and effective tools, 38% lack the right resources, 47% are unable to prioritize what needs to be fixed first, and 28% say it is too time-consuming.
As such, 66%Â of the respondents said their vulnerability backlog consists of over 100,000 bugs. Additionally, 54% said they could patch just 50% of the vulnerabilities in the backlog.
It takes more than 21 minutes for organizations to detect, prioritize and remediate a single vulnerability in production. It gets worse in development, where teams need 16 minutes to catch a vulnerability,Â 23 minutes to prioritize and 12 minutes to remediate one vulnerability.
Time to detect, prioritize and remediate one vulnerability | Source: Rezilion
â€œThis is a significant loss of time and dollars spent just trying to get through the massive vulnerability backlogs that organizations possess,â€ said Liran Tancman, CEO of Rezilion. â€œIf you have more than 100,000 vulnerabilities in a backlog, and consider the number of minutes that are spent manually detecting, prioritizing, and remediating these vulnerabilities, that represents thousands of hours spent on vulnerability backlog management each year.â€
43% agreed that automation reduces the time to remediate a vulnerability. â€œAutomation, according to the IT security professionals participating in our study, can make a significant difference in the time it takes to remediate vulnerabilities,â€ said Dr. Larry Ponemon, chairman and founder of Ponemon Institute, which Rezilion commissioned for the study.
DevSecOps helps, but just 29% of respondents have successfully transitioned from DevOps to DevSecOps. In other words, a mature DevSecOps process with security integrated into every stage of the development cycle can boost vulnerability management. 40% of respondents are in the middle stage of DevSecOps, while 31% are in the early stages.
The two biggest reasons why DevSecOps is adopted are to reduce the time to patch vulnerabilities (45%) and to bring about an improvement in the collaboration between development, security and operations (45%), followed by automating security without affecting the SDLC (41%), cost reduction (40%), and elimination of duplicative review (40%).
Only 19% said they adopted DevSecOps to reduce the vulnerability backlog.
The good news is that 52% of organizations are effective when it comes to prioritizing critical vulnerabilities. Overall, for all vulnerabilities, i.e., critical and otherwise, 43% of organizations are effective at timely patching.
The inability to track if the patch is rolled out in time, the inability to take critical systems offline, the lack of a common view of applications and assets across security and IT teams, and the lack of resources are some of the top reasons because of which vulnerability patching is delayed.
Dr. Larry Ponemon added, â€œThis points to the need for DevSecOps and the development team to be aligned on what needs to be done to meet customers’ expectations for both quality and secure applications. Survey respondents also consider it important to perform tests as part of the workflow instead of stopping, testing, fixing and restarting development.â€
Note: Rezilion’s The State of Vulnerability Management in DevSecOps report is based on responses from 348 IT and IT security practitioners working in organizations with less than 1,000 employees to more than 75,000 engaged in 11 different sectors.
MORE ON DEVOPS, DEVSECOPS
- Using a Least Privilege Framework to Boost DevSecOpsOpens a new window
- The Importance of Security Control Validation in Breach Damage Minimization
- September Patch Tuesday: Microsoft Patches 64 Vulnerabilities Including Two Zero-Day Flaws
- Poor Vulnerability Management Leaving the Doors Open to Old Zero-day Bugs