It’s About Time: Ponemon Report Reveals How Many Hours Organizations Are Losing to Vulnerability Management
If there is one thing we all want more of in life, it’s time. And there are few places where we are more pinched for time than on the job. With so many tasks and deliverables to get done, it rarely seems like we have enough hours in the day to tackle it all. In the world of software security, developers experience this daily as the work to ship code without vulnerabilities. The need to ensure products are free from flaws stifles the pace of innovation and introduces potentially dangerous issues that can be exploited by criminals.
How much does time really matter when it comes to software security? A new survey released today by Ponemon, and sponsored by Rezilion, illuminates just how many hours in time and productivity developers and security teams spend dealing with a massive backlog of vulnerabilities that they are responsible for managing annually in order to keep their organizations safe.
The new, free report is available to you today. Titled The State of Vulnerability Management in DevSecOps, it finds 47% of security leaders report they have a backlog of applications that have been identified as vulnerable – and those backlogs are a behemoth facing these teams. We are talking 100,000+ vulnerabilities as 66% say their backlog contains at least that many vulnerabilities. But remediating those vulnerabilities is barely getting done as 54% say they were able to patch less than 50% of the vulnerabilities in the backlog.
“We believe the research shines the light on the challenges organizations face in managing their growing backlog of vulnerabilities,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “On average, 1.1 million individual vulnerabilities were in this backlog in the past 12 months and less than half were remediated.”
Hours Wasted Annually Wrestling the Backlog Beast
The massive backlogs that organizations possess translate into dollars and productivity lost on both the production and development side of software applications. The survey finds 77% of respondents say it takes longer than 21 minutes to detect, prioritize, and remediate just one vulnerability in production. That means it takes more than an hour of time spent on one vulnerability on the production side.
On the development side, things are even more challenging. More than 80% of organizations spend longer than 16 minutes to detect one vulnerability in development. Prioritizing and remediation times are also long as 82% of respondents say it takes longer than 21 minutes to remediate one vulnerability in development and 85% say it takes longer than 16 minutes to prioritize one vulnerability in development.
These long windows of time represent just how much time and money is lost each year on backlogs – and for minimal pay off as many vulnerabilities still remain open. With more than 100,000 vulnerabilities in a backlog, and countless minutes spent manually detecting, prioritizing, and remediating vulnerabilities, that means teams are spending thousands of hours on vulnerability backlog management each year.
Most respondents (78%) say high-risk vulnerabilities in their environment take longer than 3 weeks to patch, with the largest percentage (29%) noting it takes them longer than 5 weeks to patch.
It’s Time for a New Way Forward with Vulnerability Management
Why is it taking so long to detect, prioritize and remediate vulnerabilities? The people who responded to the survey say an inability to prioritize what needs to be fixed (47%), a lack of effective tools (43%), a lack of resources (38%), and not enough information about risks that would exploit vulnerabilities (45%) are their top challenges. More than a quarter (28%) also said remediation is too time-consuming.
Overall, a majority of respondents say it is either very difficult (36%) or difficult (25%) to remediate vulnerabilities in applications.
“What was surprising is that less than half of organizations represented in this research believe their teams can be innovative while ensuring the security of applications ,” said Dr. Larry Ponemon. “This points to the need for DevSecOps and the development team to be aligned on what needs to be done to meet customers’ expectations for both quality and secure applications. Survey respondents also consider it important to perform tests as part of the workflow instead of stopping, testing, fixing and restarting development”.
So, what can be done? There is an answer to many of these challenges – and a way to take the process of detecting, prioritizing and remediating vulnerabilities from a time-sapping process to an efficient and seamless system. That is through automation. A majority of respondents (56%) say they use automation for vulnerability remediation and, of those who do, most say it has yielded significant benefits – including time saved. When asked how automation has impacted the time it takes to remediate vulnerabilities, 43% said there was a significantly shorter time to respond.
Download a copy of the report today to understand more about the current landscape of vulnerability management in DevSecOps. Ready to explore the solution? Book a private demo meeting today to learn how Rezilion helps teams address backlogs quickly, seamlessly and without disruption to productivity.