Vulnerability Prioritization is Critical for Tackling a Growing Software Attack Surface
Security leaders are highly concerned about a growing software attack surface, yet few feel confident in their ability to see it and manage it, according to a new survey from Ponemon Institute and sponsored by Rezilion.
Most of the leaders agree that eliminating complexity in the software attack surface and eliminating vulnerabilities that are not exploitable are key to reducing threats. But a large percentage do not know which vulnerabilities actually pose risk and therefore can’t patch strategically.
Researchers asked 634 IT and security leaders to rate their organization’s concern about the growing software attack surface based on a scale of one (low concern) to 10 (high concern). More than 70% gave a rating of seven or higher, and 39% rated their organization’s concern as nine to 10. Conversely, only 13% gave ratings of four or lower.
Using the same scale, the researchers asked respondents to rate their organization’s effectiveness in having security coverage across the entire software development lifecycle (SDLC). More than half (57%) rate their organization six or lower, and about one in five rated them two or lower.
Many also didn’t rate their organizations highly in terms of their effectiveness in knowing their software attack surface, with more than half giving ratings of six or lower and about one quarter assigning ratings of two or lower. At the same time, a large majority of organizations considering it highly important to reduce the software attack surface.
One of the key shortfalls is the inability of security teams to prioritize vulnerabilities in order to address the most critical ones quickly. More than half of the respondents (53%) said it is important for their organization to focus on only those vulnerabilities that pose the most risk and not focus on remediating all vulnerabilities. And yet nearly the same number said their organization remediates all vulnerabilities because it doesn’t know which ones pose the most risk.
Why do Vulnerability Backlogs Exist and What Can be Done to Tame Them?
The inability to prioritize what needs to be fixed is the main reason vulnerability backlogs exist, according to 47% of the respondents.
Of those organizations that are prioritizing vulnerabilities, the Common Vulnerability Scoring System (CVSS) security score of vulnerabilities is the most common method for prioritizing vulnerabilities (30%). This is followed by which exposed assets are the most important to the business and a proprietary scoring metric.
The key to successful prioritization, as with other elements of vulnerability management such as patching and reporting, is to automate the process. The Ponemon survey shows that just under half the organizations are doing this.
That number should be a lot higher, because security teams and developers need automation to make their remediation efforts more timely and efficient. Consider that on average it takes nearly two thirds of organizations at least 21 minutes to prioritize one vulnerability in development, and it takes 77% of organizations at least 21 minutes to prioritize on vulnerability in production.
Automation can dramatically decrease the time it takes to determine which vulnerabilities are the biggest risk to an organization, so teams can remediate them quickly. Finding an effective automation platform to automate prioritization should be a major component of every vulnerability management strategy.
Download a copy of the report today to understand more about the current landscape of vulnerability management in DevSecOps. Ready to explore the solution? Book a private demo meeting today to learn how Rezilion helps teams address backlogs quickly, seamlessly and without disruption to productivity.