Developers and Security Teams Need Their Time Back
Software development and security professionals might find themselves frequently at odds with each other over a variety of issues, such as how much security control is needed in the development process. But one thing they agree on is that there isn’t enough time to accomplish all they want to meet their goals and responsibilities.
This sense of urgency is to a large degree a component of the digital age. In today’s software-driven world, businesses and consumers want new applications and upgrades delivered quickly. They have come to rely on software, and lots of it, to perform all kinds of tasks at work and in their personal lives.
If companies don’t deliver software on time, they risk losing out to competitors in the race to win customers. So it’s easy to see why development professionals feel the time crunch.
Security teams also experience time pressures, because focusing on speed to market can increase risk. Velocity comes at the cost of delivering software that includes more vulnerabilities. It’s the security teams that need to address these flaws quickly, before they can be exploited by bad actors and become a major problem.
How Do You Save Time In Dev Without Sacrificing Security?
As the number of discovered vulnerabilities continues to increase, patching backlogs grow longer—and so do exposure windows. Attackers are waiting to strike, and given enough opportunity they will eventually be successful.
The upside of this situation is that companies face a maddening paradox to either choose to innovate or eliminate critical risk to their business. Leaders at organizations need to find an effective way to balance time-to-market requirements with the time needed to secure their software effectively.
How can they do this? One major time saver is to patch only those vulnerabilities that matter. New research by Rezilion shows that a large majority of software vulnerabilities (85%) pose no risk to organizations.
As the report notes, a popular prioritization methodology is the Common Vulnerability Scoring System (CVSS), an open framework for communicating the characteristics and severity of software vulnerabilities.
But a vulnerability is only as dangerous as the threat exploiting it, and 95% of vulnerabilities with “high severity” CVSS scores have never been seen in the wild nor linked to breaches.
Rezilion researchers examined 20 of the most popular container images on DockerHub that have collectively been downloaded and deployed billions of times, as well as several base operating system images from leading cloud providers, to assess how many vulnerabilities are not applicable and which vulnerabilities pose an actual risk.
An analysis of the container images found more than 4,347 known vulnerabilities, and that patching all these vulnerabilities at once would be tedious and virtually impossible. But during the course of testing, on average only about 15% of found vulnerabilities were ever loaded into memory, thus not posing any threat.
What Do New Findings On Vulnerability Risk Mean For a Time-Crunched Team?
The findings have major implications for security teams, which can focus their limited resources on those vulnerabilities that actually pose a real threat of exploitation. They can save development time and also avoid delays in getting releases out the door.
Organizations need to invest in tools that allow them to prioritize software vulnerabilities so that they only focus on the real threats. Ultimately, such tools provide greater visibility into the attack surface, so that time is spent on patching what matters. This gains back time for both security teams and developers.
To learn more, download the report at https://www.rezilion.com/runtime-analysis-research. Get a free trial of Rezilion’s platform to identify all vulnerabilities present in a given software environment and validate their exploitability. Sign up instantly at Rezilion.com/get-started.