Vulnerability Management in DevSecOps
Something is wrong with the way many organizations are handling vulnerability management today. The sooner we acknowledge that the system is broken and fix it, the better.
Thousands of hours are lost each year to vulnerability backlog management due to a lack of prioritization and automation, according to a new study by independent research and education firm Ponemon Institute and Rezilion. Many are seeing backlogs of more than 100,000 vulnerabilities that contain critical risks, but these bugs are too time-consuming to address properly.
What’s more, a lot of organizations are struggling to adopt and maintain the DevSecOps model, which is a key element of effective software security.
This white paper examines some of the vulnerability management struggles that organizations are experiencing and suggests how they can enhance this important component of cybersecurity.
Why Vulnerability Management Isn’t Working
For many organizations, the process of managing software vulnerabilities is simply broken. The process doesn’t enable security teams to properly and efficiently address the software flaws that, if exploited, can lead to major security attacks.
A survey of 634 IT and security leaders by Ponemon and Rezilionfound that organizations are losing thousands of hours in productivity dealing with enormous backlogs of vulnerabilities. They don’t have the time or resources to effectively tackle these flaws. Given the significant and growing gap of security skills, this problem will likely get worse.
Nearly half of survey respondents (47%) said they have backlogs of applications that have been identified as vulnerable. Two-thirds (66%) said their backlogs consist of more than 100,000 vulnerabilities, and 54% reported that they were able to patch less than 50% of the vulnerabilities in the backlogs.
As a result, a majority of respondents (78%) said high-risk vulnerabilities in their environments are taking longer than three weeks to patch. Nearly 30% said it takes them longer than five weeks to patch software bugs. For about half of the organizations, vulnerability patching is delayed because tracking vulnerabilities is difficult. For 49% of respondents, the inability to take critical applications and systems offline so that they can be patched quickly is another challenge.
On average, 1.1 million individual vulnerabilities were in the backlogs in the past 12 months, and an average of 46% were remediated. Respondents said their organizations would be satisfied if 29% of vulnerabilities in a year were remediated.
This is all a stunning state of affairs, and it’s putting a lot of organizations at high risk. Many of the software vulnerabilities they are failing to fix can be ultimately exploited by cybercriminals and other bad actors, leading to significant, damaging attacks. These incidents can impact not only the primary targets but potentially their supply chain partners and customers as well.
Many factors create challenges for organizations as they attempt to address the vulnerability backlogs. Chief among these is the inability to prioritize what needs to be fixed, cited by 47% of respondents. Other reasons include not having enough information about risks that would exploit vulnerabilities (45%), lack of effective tools (43%), lack of resources (38%), and the fact that addressing the backlog is too time-consuming (28%).
Organizations are expending costly, productivity-draining hours trying to deal with the massive backlogs — in terms of both the production and development sides of software applications. For example, 77% of respondents said it takes 21 minutes or longer to detect, prioritize, and remediate just a single vulnerability in production. That represents more than an hour spent on one vulnerability on the production side.
A majority of respondents said their organizations spend 16 minutes or longer to detect just one vulnerability in development, and about one-quarter take more than 30 minutes on average to detect a single vulnerability in development.
Prioritizing and remediating vulnerabilities also take a long time for many organizations. On average, about two-thirds of respondents take at least 16 minutes to prioritize one vulnerability in development, and 40% take more than 30 minutes. Only 7% take 10 minutes or less to achieve this.
Organizations are doing even worse in prioritizing vulnerabilities in production, with 85% saying it takes 16 minutes or longer to prioritize one vulnerability in production and more than one-third saying it takes longer than 30 minutes.
Remediation is also a struggle. A huge majority of survey respondents (94%) said it takes on average 16 minutes or longer to remediate one vulnerability in development. Eighty-five percent said it takes 16 minutes or longer to remediate one vulnerability in production, while 45% said that process takes more than 30 minutes.
This adds up to an enormous amount of time and money lost just trying to get through vulnerability backlogs. Not surprisingly, 61% of respondents said it’s very difficult or difficult to remediate vulnerabilities in applications.
At the same time, many enterprises are struggling to make the most of DevSecOps, a key component for ensuring secure software development. The research defines DevSecOps as the automation of the integration of security at every phase of the software development life cycle — from initial design through integration, testing, deployment, and software delivery.
DevSecOps is an offshoot of DevOps, an approach based on lean and agile principles to quickly deliver software that enables organizations to rapidly seize market opportunities.
All organizations in the study have either adopted the DevSecOps approach or are in the process of doing so. The two main reasons for adopting DevSecOps are to improve the collaboration between development, security, and operations (cited by 45%) and to reduce the time to patch vulnerabilities (45%).
Other reasons are to automate the delivery of secure software without slowing the software development cycle, to eliminate duplicative review and unnecessary rebuilds, and to reduce the cost and time to fix the code.
Many are facing obstacles to optimizing their use of the model, however. The lack of the right security tools was the most commonly cited barrier to having a fully effective DevSecOps, as mentioned by 54%. Other challenges are a lack of workflow integration, the growing vulnerability backlogs, and the increase of application security vulnerabilities.
A Better Approach, Focused on Automation and DevSecOps
The research makes it clear that it’s not possible to effectively manage a vulnerability backlog without the right tools and strategies to automate the processes of detection, prioritization, and remediation. Security and development teams need automation to make their remediation efforts timelier and more efficient.
Automation within vulnerability management is proving to be successful. For example, more than half of survey respondents (56%) said their organizations use automation for vulnerability remediation, and most of those that do said it has yielded significant benefits.
Of the respondents whose organizations are using automation, 59% automate patching, 47% automate prioritization, and 41% automate reporting. Each week, IT security teams at these organizations spend most of their time remediating vulnerabilities. When asked how automation has affected the time it takes to do so, 43% said there was a significantly shorter response time.
Certain features are important to creating secure software. Sixty-five percent of respondents said the ability to perform tests as part of the workflow instead of stopping, testing, fixing, and restarting development is very important, and 61% said automating vulnerability, scanning, and remediation at every stage of the software development life cycle is very important.
It’s crucial that organizations apply automation to the prioritization of vulnerabilities. Most security leaders agree that eliminating complexity in the software attack surface and downplaying vulnerabilities that are not exploitable are keys to reducing threats. But a large percentage don’t know which vulnerabilities actually pose risks, so they can’t patch strategically.
One of the key shortfalls among many organizations is the inability to prioritize vulnerabilities in order to address the most critical ones right away. More than half of respondents (53%) said it’s important for their organizations to focus on only those vulnerabilities that pose the greatest risk and not focus on remediating all vulnerabilities. But nearly the same number said their organizations remediate all vulnerabilities because they don’t know which ones pose the most risk.
This is where prioritization comes in, and the key to successful prioritization — as with the other elements of vulnerability management, such as patching and reporting — is to automate the process. The survey showed that just under half the organizations are doing this.
Security teams need to automate prioritization to make their remediation efforts timelier and more efficient. On average, nearly two-thirds of organizations said it takes at least 21 minutes to prioritize one vulnerability in development. Seventy-seven percent said it takes at least 21 minutes to prioritize one vulnerability in production.
Automating the process can significantly decrease the time it takes to determine which vulnerabilities are the biggest risks to an organization and enable teams to fix them more quickly. Finding an effective platform to automate prioritization must be a key component of the vulnerability management strategy.
Automation also applies to Dynamic Software Bill of Materials (SBOM), a list of components in a piece of software. Software vendors often create products by using open source and commercial components, and the Dynamic SBOM describes the components in the product so that developers and users can be assured that they are up to date.
Dynamic SBOMs are updated automatically whenever releases or changes occur. Forty-one percent of respondents said their organizations use Dynamic SBOMs, with risk assessment and regulation compliance as the top two features of their Dynamic SBOMs. Although 70% of respondents said continuous automatic updates are important or very important, only 47% said their Dynamic SBOMs feature this.
Deploying tools to automate SBOMs is an important component of any vulnerability management and software security strategy.
In addition to automation, a mature DevSecOps program needs to be a centerpiece of vulnerability management and the goal of creating more secure software. Organizations must take the necessary steps to advance their DevSecOps programs.
Only 29% of respondents said their DevSecOps had reached the mature stage — defined as DevOps having been fully transitioned into DevSecOps and security having been integrated at every phase of the software development life cycle. Nearly one-third of the organizations said they were in the early stage of just starting to plan a DevSecOps approach.
As the report notes, “At the heart of having a successful vulnerability management program is alignment between DevSecOps and the development team in being able to achieve both innovation and security when delivering products.”
A big part of the DevSecOps mindset is aligning the various groups in the organization on security. More than half of respondents said their development engineers, product security teams, and compliance teams are aligned to understand their organizations’ security posture and each other’s area of responsibilities to deliver secure products.
As threats continue to grow, organizations need to take steps — such as automated vulnerability management and greater DevSecOps maturity — to enhance their security. Clearly, the attack surface is expanding. A majority of respondents said their organizations are very concerned or highly concerned about risks created by the growing software attack surface.
Despite these concerns, however, most organizations are not effective in knowing the attack surface or securing it, with only 45% of respondents saying they are effective in this area.
The Time for Improvement Is Now
As the Ponemon-Rezilion research bears out, the current state of vulnerability management at many organizations is inadequate.
The backlogs in patching and failure to find and remediate software vulnerabilities leave enterprises at risk for potential security breaches that can cost millions of dollars in lost or stolen data, business downtime, and other negative impacts.
Eliminating exploitable vulnerabilities is a key step to safeguarding the attack surface and improving software security. The way to do this is by automating every stage of vulnerability management, which speeds up processes considerably and enables security and development teams to produce software quickly and securely.
Combined with DevSecOps and the use of Dynamic SBOMs, organizations can put themselves in the best possible positions to address vulnerabilities in a cost-efficient, effective manner.