How to Improve Vulnerability Management in the SDLC
Organizations are facing significant challenges with software vulnerabilities throughout the software development lifecycle (SDLC). Many still spend a lot of time to detect and prioritize one vulnerability in both development and production, indicating there is room for improvement in vulnerability management, according to a new survey from Ponemon Institute on behalf of Rezilion.
On average, nearly half (47%) of respondents said it takes more than 30 minutes to detect one vulnerability in production, and 26% said it takes more than 30 minutes to detect one vulnerability in development.
Further results below indicate that many organizations lack tools to adequately automate vulnerability management tasks (including discovery, validation, prioritization, and risk-based remediation/patching processes) across the full development lifecycle. This creates a significant lag in closing holes in the security posture: 58% of respondents need six weeks or more to patch critical flaws.
Vulnerability Management Capabilities Are Lacking
Respondents were asked to rate on a scale of one to 10 how effective their organization is at prioritizing the most critical vulnerabilities. Only 29% reported their organization is highly effective at doing this.
Similarly, just 30% said their organization is effective at patching vulnerabilities in a timely manner.
Prioritizing & Remediating Vulnerabilities is a Struggle
Forty percent of respondents report that on average, it takes more than 30 minutes to prioritize one vulnerability in development.
Slightly less (36%) said that on average, it takes more than 30 minutes to prioritize one vulnerability in production. Forty-one percent said it takes between 21 minutes and 30 minutes to prioritize.
When it comes to being able to remediate one vulnerability in development, 45% said it takes between 21 minutes and 30 minutes while 37% said more than 30 minutes.
On average, 45% of respondents said it takes more than 30 minutes to remediate one vulnerability in production while 32% said it takes between 21 minutes and 30 minutes.
The survey also broke down detection of a single vulnerability by IT/infrastructure engineers and vulnerability management teams.
Thirty-two percent of respondents said that on average, it take 5 to 10 minutes for IT/infrastructure engineers to detect one vulnerability, while 25% reported it takes less than five minutes.
On average, 33% said it takes an average of five minutes to 10 minutes to detect one vulnerability by vulnerability management teams, while 32% said it takes less than five minutes.
When it comes to prioritizing one vulnerability by IT/infrastructure engineers, 26% said more than 30 minutes, while 23% said between 21 minutes and 30 minutes.
On average, it takes 32% of vulnerability management teams less than five minutes, while 24% reported it takes between five minutes and 10 minutes.
In terms of remediating one vulnerability by IT/infrastructure engineers, on average, 39% said between five and 10 minutes, while 21% said less than five minutes.
Thirty-three percent said that on average, it take 11 minutes to 15 minutes for vulnerability management teams to remediate one vulnerability.
Responses varied widely when asked “Once you detect a critical or high-risk vulnerability in your environment, on average how long does it take to patch?,” 14% said six weeks, 16% said seven weeks, 15% said eight weeks, and 13% said nine weeks.
Automation is Key to Enhancing Vulnerability Management in the SDLC
Some 65% of respondents said that having the ability to perform tests as part of the workflow instead of stopping, testing, fixing, and restarting development is either important or very important.
On the heels of that, 61% said that automating vulnerability scanning and remediation at every stage of the SDLC is either important or very important.
Automation is clearly packing a punch. When asked, “Does your organization use automation to assist with vulnerability management?,” 56% said yes.
Among those who replied yes, they were asked the follow-up question, “What steps do you automate?’’ The responses were patching (59%), prioritization (47%), and reporting (41%).
When asked “How has automation impacted the time it takes to remediate vulnerabilities?,” 43% said it has significantly shortened the time to respond.
Ponemon Institute surveyed 634 IT and IT security practitioners who are knowledgeable about their organizations’ attack surface and effectiveness in managing vulnerabilities. Read the full report, The State of Vulnerability Management in DevSecOps, today.