Rezilion and Ponemon Release New Report; Finds Thousands of Hours Lost to Vulnerability Backlog Management Due to Lack of Prioritization and Automation
BE’ER SHEVA, Israel (September 14, 2022) – Rezilion, an automated vulnerability management platform accelerating software security, and Ponemon Institute announced today the release of “The State of Vulnerability Management in DevSecOps,” which reveals that organizations are losing thousands of hours in time and productivity dealing with a massive backlog of vulnerabilities that they have neither the time or resources to tackle effectively.
The report highlights 47% of security leaders report that they have a backlog of applications that have been identified as vulnerable. More than half (66%) say their backlog consists of more than 100,000 vulnerabilities and the average number of vulnerabilities in backlogs overall is a mind-boggling 1.1 million, according to the data. Even more concerning, 54% say they were able to patch less than 50% of the vulnerabilities in the backlog. Most respondents (78%) say high-risk vulnerabilities in their environment take longer than 3 weeks to patch, with the largest percentage (29%) noting it takes them longer than 5 weeks to patch.
“We believe the research shines the light on the challenges organizations face in managing their growing backlog of vulnerabilities,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “On average, 1.1 million individual vulnerabilities were in this backlog in the past 12 months and less than half were remediated. Automation, according to the IT security professionals participating in our study, can make a significant difference in the time it takes to remediate vulnerabilities.”
Among the factors that keep teams from remediating are an inability to prioritize what needs to be fixed (47%), a lack of effective tools (43%), a lack of resources (38%), and not enough information about risks that would exploit vulnerabilities (45%). More than a quarter (28%) also said remediation is too time-consuming.
Expensive and time-consuming hours are lost trying to wrangle massive backlogs on both the production and development side of software applications. The survey finds 77% of respondents say it takes longer than 21 minutes to detect, prioritize, and remediate just one vulnerability in production. This represents more than an hour of time spent on one vulnerability on the production side.
On the development side, more than 80% of organizations spend longer than 16 minutes to detect one vulnerability in development. Prioritization and remediation times are also long as 82% of respondents say it takes longer than 21 minutes to remediate one vulnerability in development and 85% say it takes longer than 16 minutes to prioritize one vulnerability in development.
“This is a significant loss of time and dollars spent just trying to get through the massive vulnerability backlogs that organizations’ possess,” said Liran Tancman, CEO of Rezilion, which sponsored the research. ”If you have more than 100,000 vulnerabilities in a backlog, and consider the number of minutes that are spent manually detecting, prioritizing, and remediating these vulnerabilities, that represents thousands of hours spent on vulnerability backlog management each year. These numbers make it clear that it is impossible to effectively manage a backlog without the proper tools to automate detection, prioritization, and remediation.”
Overall, a majority of respondents say it is either very difficult (36%) or difficult (25%) to remediate vulnerabilities in applications. There are some tools and strategies that businesses are relying on with success to move the needle on backlog management. For example, a majority (56%) said they use automation for vulnerability remediation and, of those who do, most say it has yielded significant benefits. When asked how automation has impacted the time it takes to remediate vulnerabilities, 43% said there was a significantly shorter time to respond.
“We now have the data to track how much time vulnerabilities are stealing from teams across the Software Development Life Cycle (SDLC) and we know that it is a process that is not working effectively,” said Tancman. “Backlogs cannot continue to be closed in this manner because it extends the attack window for threat actors to exploit unpatched, exploitable vulnerabilities. Security teams and developers clearly need prioritization and automation to make their patching efforts more timely and efficient.”
A sampling frame of 16,510 IT and IT security practitioners who are knowledgeable about their organizations’ attack surface and effectiveness in managing vulnerabilities were selected as participants to this survey. Ponemon Institute surveyed 634 IT and IT security practitioners who are knowledgeable about their organizations’ attack surface and effectiveness in managing vulnerabilities. All organizations have adopted DevSecOps or are in the process of adopting a DevSecOps approach.
To download the full report please visit: https://www.rezilion.com/lp/its-about-time-ponemon-survey/.
Rezilion’s platform quickly and seamlessly tackles your vulnerability backlog with automation. The platform’s continuous runtime analysis detects vulnerable software components on any layer of the software stack and determines their exploitability, filtering out up to 95% of identified vulnerabilities. Rezilion then automatically mitigates exploitable vulnerabilities across the SDLC, reducing vulnerability backlogs and remediation timelines from months to hours, while giving DevOps teams time back to build.
Learn more about Rezilion’s software attack surface management platform at www.rezilion.com to get a 30-day free trial.