The Time is Now to Eliminate Vulnerability Backlogs
There are three things in life you can count on: death, taxes, and vulnerability backlogs. Eliminating them has become a major thorn in the side of DevSecOps professionals because it’s not always clear which ones need to be addressed and how quickly.
That’s the key: being able to assess, prioritize, and then remediate vulnerabilities.
Yet, a new report from the Ponemon Institute, and sponsored by Rezilion, finds that on average, respondents had a backlog of a whopping 1.1 million individual vulnerabilities in the past 12 months and less than half of those (46%) were remediated. Some 47% say they have an inability to prioritize what needs to be fixed.
There are a plethora of vulnerability and scanning tools that cover every aspect of the tech infrastructure, from network to applications to cloud to mobile. But the Ponemon report reveals that 43% of respondents don’t find them to be effective. There’s also penetration testing programs that provide data on the latest vulnerabilities. And vendors issuing notices and patches. But it gets overwhelming. Meanwhile, the backlog grows. And grows.
So developers end up spending too much time grappling with which vulnerabilities to deal with first, which delays time to market and leads to significant revenue and time loss. Long remediation timelines increase the likelihood of exploitation.
There are four steps organizations should take to eliminate their vulnerability backlog. Here is a break down of those steps.
First and foremost is to use a software bill of materials (SBOM). While 41% of respondents say their organization uses an SBOM, it is not dynamic, meaning that CISOs and product security and compliance officers have to spend time manually inputting changes. Another issue with static SBOMs is that they don’t provide full visibility and often, they are only available in certain parts of the software stack. This causes delays and uncertainty, which result in risk.
By comparison, a Dynamic SBOM provides real-time visibility into all software components as well as how those components are being executed in runtime. DevSecOps teams can also identify known vulnerabilities associated with the software components in their organization’s SBOM.
Prioritize vulnerabilities for remediation
The next step is to create a plan for prioritizing vulnerabilities. This includes assessing/identifying all assets and then applying context since not all vulnerabilities are created equal. It all depends on where the bug resides and whether it can impact the availability of a critical business function.
Often, organizations rely on the Common Vulnerability Scoring System (CVSS) to cull the herd.
Organizations should “focus on the vulnerabilities that are being exploited in the wild,’’ according to Craig Lawson, a VP analyst at Gartner, in a blog post. “That should be the No. 1 goal and will drive down the most risk the fastest.”
Resolve to remediate!
Then it’s time to develop a remediation plan to patch and remove offending components. The plan should include a comprehensive view of all your IT assets, and it should be continually updated.
A new approach is clearly needed. More than a quarter (28%) of respondents to the Rezilion/Ponemon report say remediation is too time-consuming. Overall, a majority of respondents say it is either very difficult (36%) or difficult (25%) to remediate vulnerabilities in applications.
So what can you do? The study found that tools with automation capabilities are yielding benefits with vulnerability remediation for 56% of respondents. One way automation is impacting the time to remediate is by reducing the response time (43%).
Finally, organizations should embrace a “shift left” mindset and make DevSecOps a priority. A DevSecOps framework adds automated security testing and coordination to all phases of the software lifecycle right from the start of the build process, rather than saving vulnerability tests for the final software review stages — or not doing them at all.
This approach can reduce vulnerability backlogs by up to 85% along with patching efforts by identifying vulnerabilities that are not exploitable in your environment. This way, developers can fix what matters most and not waste time.
Reducing the time it takes to patch vulnerabilities was the primary reason 45% of respondents adopted DevSecOps. Having a focused approach to prioritization and remediation of risks (33%) was another.
The DevSecOps culture encourages greater cross-team collaboration and this can only lead to better cooperation and communication and the ability to resolve issues more quickly.
In a world where threats and breaches have become commonplace, security must play a more prominent role during the entire software development lifecycle. Couple that with automation to address software flaws more quickly and this will slam the door shut on bad actors before they have a chance to cause harm.
To learn more, read our guide to eliminating vulnerability backlogs today.