Highlights:

  • The survey reveals that 47% of security leaders reported having a backlog of applications that have been recognized as vulnerable.
  • Most respondents (78%) indicate it takes more than three weeks to patch high-risk vulnerabilities in their environment.

Rezilion, an automated vulnerability management platform accelerating software security, and Ponemon Institute announced the release of “The State of Vulnerability Management in DevSecOps.” The report reveals that organizations are losing thousands of hours in time and productivity due to a massive backlog of vulnerabilities. They neither have the time nor resources to address this effectively.

The survey reveals that 47% of security leaders reported having a backlog of applications that have been recognized as vulnerable. According to the statistics, more than 66% of the respondents said their backlog has more than 100,000 vulnerabilities, and the average number of vulnerabilities in backlogs is a staggering 1.1 million. Worse, 54% claim they were able to fix fewer than 50% of the vulnerabilities in the backlog. Most respondents (78%) indicate it takes more than three weeks to patch high-risk vulnerabilities in their environment, with the greatest share (29%) stating that it takes longer than five weeks.

Dr Larry Ponemon, chairman and founder of Ponemon Institute, said, “We believe the research shines the light on the challenges organizations face in managing their growing backlog of vulnerabilities. On average, 1.1 million individual vulnerabilities were in this backlog in the past 12 months, and less than half were remediated. According to the IT security professionals participating in our study, automation can significantly affect the time it takes to remediate vulnerabilities.”

Among the reasons that prevent teams from remediating are an inability to prioritize what needs to be addressed (47%), lack of adequate tools (43%), lack of resources (38%), and insufficient knowledge about threats that would exploit vulnerabilities (45%). Additionally, more than a quarter (28%) stated that clean-up is too time-intensive.

Costly and time-consuming hours are spent trying to wrangle huge backlogs on the production and development side of the software applications. The survey found that 77% of respondents think it takes more than 21 minutes to discover, prioritize, and address a single production vulnerability. This indicates more than an hour of production-side effort spent on a single vulnerability.

On the development side, over 80% of firms require more than 16 minutes to discover a single vulnerability. Prioritization and remediation durations are likewise lengthy, with 82% of respondents indicating that it takes more than 21 minutes to fix one vulnerability in development and 85% indicating that it takes more than 16 minutes to prioritize one vulnerability.

Liran Tancman, CEO of Rezilion, who sponsored the research, said, “This is a significant loss of time and dollars spent trying to get through the massive vulnerability backlogs that organizations possess. Suppose you have more than 100,000 vulnerabilities in a backlog and consider the number of minutes spent manually detecting, prioritizing, and remediating these vulnerabilities, representing thousands of hours spent on vulnerability backlog management each year. These numbers make it clear that it is impossible to effectively manage a backlog without the proper tools to automate detection, prioritization, and remediation.”

A majority of the respondents believed that it is extremely tough (36%) or difficult (25%) to eliminate application vulnerabilities. For effective backlog management, organizations rely on several tools and tactics. For instance, a majority of respondents (56%) indicated they utilize automation for vulnerability repair, and the majority of them claim it has provided substantial advantages. When asked how automation has affected the time required to fix vulnerabilities, 43% of respondents indicated that the response time had been significantly reduced.

Liran Tancman further said, “We now have the data to track how much time vulnerabilities are stealing from teams across the Software Development Life Cycle (SDLC), and we know that it is a process that is not working effectively. Backlogs cannot continue to be closed because it extends the attack window for threat actors to exploit unpatched, exploitable vulnerabilities. Security teams and developers need prioritization and automation to make their patching efforts more timely and efficient.”