Vulnerability Management Is Broken. Here’s How to Fix it  

Puzzle pieces that do not go together

For many organizations, the process of managing software vulnerabilities is not working, and it’s failing to enable security teams to address the software flaws that can lead to major security attacks.

A new study by independent research and education firm Ponemon Institute, based on a survey of 634 IT and security leaders, found that organizations are losing thousands of hours in time and productivity as they deal with a huge backlog of vulnerabilities. They don’t have the resources they need to address these flaws effectively, and the problem will likely get worse.

Nearly half of the respondents said they have a backlog of applications that have been identified as vulnerable, and two thirds said their backlog consists of more than 100,000 vulnerabilities. More than half said they were able to patch less than 50% of the vulnerabilities in the backlog.

The result? A majority of the respondents said high-risk vulnerabilities in their environment are taking more than three weeks to patch, and nearly 30% said it takes them longer than five weeks to patch software bugs. On average, 1.1 million vulnerabilities were in the backlog in the past 12 months.

All of this adds up to an unacceptable situation that’s putting many organizations at high risk.

Current Vulnerability Management Processes and Systems Don’t Work

Several factors are creating challenges for organizations as they try to address the vulnerability backlog. One is the inability to prioritize what needs to be fixed. Another is not having enough information about risks that would exploit vulnerabilities, and yet another is a lack of effective tools and resources.

Many organizations are expending productivity-draining hours trying to address the massive backlogs. For example, 77% said it takes 21 minutes or longer to detect, prioritize and remediate just a single vulnerability in production.

At the same time, many enterprises are struggling to make the most of DevSecOps, a key component for ensuring secure software development. They are facing obstacles to optimizing their use of the model, including the lack of the right security tools, lack of workflow integration, the growing vulnerability backlog, and the growth in application security vulnerabilities.

Automation is Key for Effective Vulnerability Management

The Ponemon research makes it clear that organizations need the right tools and strategies to automate the processes of detection, prioritization and remediation of vulnerabilities. Otherwise they can’t realistically manage the vulnerability backlog.

Those organizations that are using automation for vulnerability management are seeing results. For example, more than half of the respondents said their organization uses automation for vulnerability remediation, and of those most said it has yielded significant benefits. When asked how automation has impacted the time it takes to remediate vulnerabilities, 43% said there was a significantly shorter time to respond.

One of the shortcomings of vulnerability management today is the inability to prioritize vulnerabilities, and the key to successful prioritization is to automate the process. For example, security teams need tools to automatically determine which vulnerabilities could really be exploited in their environment. This avoids spending precious time and resources patching those that don’t truly create risk for the organization (because, for example, the vulnerable function is never loaded in memory, or other security controls prevent it from being exploited).

In addition to automation, having a mature DevSecOps program should be a big part of the vulnerability management strategy. Organizations must take the necessary steps to advance their DevSecOps programs. A well-designed program will improve overall security posture while reducing the ‘drag’ or friction on development that manual security tasks and processes can create.

To learn more about how to enhance vulnerability management and software security, read our new guide on managing vulnerability management in DevSecOps, which taps takeaways from the Ponemon research to make recommendations for strategies and best practices.


Reduce your patching efforts by
85% or more in less than 10 minutes