Vulnerability Management

Why does it take so long for security teams to remediate vulnerabilities?

Remediation gap

Recent analysis of about 1,000 companies found just 13% of vulnerabilities observed were remediated and took an average of 271 days for security teams to address them.

Organizations are racing to remediate thousands of vulnerabilities each month, yet the growing backlog now outstrips their ability to keep pace. With threat actors looking for any weakness to exploit, this backlog of un-remediated vulnerabilities poses a serious security risk.

An overwhelming majority of IT and security leaders tell us their portfolios of applications have become more vulnerable to attack over the past year. Combined that with the reality that open-source code gets used in 70% to 90% of applications driving the digital world today, the continuous proliferation of open source vulnerabilities has become a challenge we can’t ignore.

So to shrink this remediation gap, we must first understand what’s behind the disconnect. The widening gap has been driven by a number of important elements, including a lack of time and resources, and the need to balance security risk and functional risk.

Balance security and functional risk

Companies need to keep applications secure and functional, a balancing act that’s often very difficult. Most teams aren’t updating the software they use often enough, especially when we consider that nearly all known vulnerabilities have a fix and those almost always come in the form of a new release. Yet, the longer teams go without updating their software, the harder it becomes to update later without creating harm.

Consider the teenager who doesn’t clean their room for six months. While the same amount of junk might accumulate during this time period, the time and effort required to dig out becomes monumental compared to keeping up on a weekly basis. Teams that are better at avoiding technology debt do a better job of keeping software versions updated, which ultimately lessens the burden, and risk. Regular updates ensure that teams are auto-applying fixes before vulnerabilities are even detected. Moreover, when a major issue arises, such as the Log4j vulnerability in December 2021, it’s easier to address quickly.

Not all apps are created equal

It’s fairly obvious that software built 10 years ago performs differently from software developed today. While we tend to focus on the latest developments, older versions of software, even though no longer updated, remain in use by a substantial number of customers. The risks and vulnerabilities in that software remain too, putting them and the publisher at risk. Yet, supporting old software becomes tedious and expensive, taking precious time and resources away from new development driving business value. So, remediating old software vulnerabilities remains under-resourced, undervalued, and a long-term prospect.

Three ways to shrink the gap

Because every app has its own each unique functionality and varied potential implications from a security breach – it’s important to assess the risk for each application. Understanding the risk profile of each application lets teams identify and prioritize those that are tied to sensitive data or critical to meeting and maintaining compliance with regulatory requirements. By understanding application functionality, security teams can more effectively prioritize remediation by application risk.

Next, teams need to prioritize the flaws that present the most risk. While it’s helpful to make security rankings of dangerous vulnerabilities, security rankings in the context of a single application can land differently. Teams should consider rankings a starting point, and they need to understand that large chunks of “critical” vulnerabilities get downgraded when looked at through the lens of a specific application. Prioritize remediation by what actions the team can make to remove the most risk, and how much effort it takes to have the greatest impact. For example, a great number of attack chains often leverage medium severity vulnerabilities, so it’s a better use of time and effort to address more of those kinds of vulnerabilities than focusing on one or two severe vulnerabilities that are targeted less frequently.

Finally, prioritize and automate remediation of new applications first. Unpatched vulnerabilities are a leading cause behind the majority of overall cyberattacks, with recent research revealing that patchable external vulnerabilities spurred 82% of cyberattacks during the first half of 2022. At the same time, teams should start tackling flaws in older software to avoid letting patchable external vulnerabilities make their organization another incident statistic. And consider that if teams automate software updates in newer versions now, they can reduce the risk of exposing customers to risks tomorrow and years down the road.

The right combination of people, process and tools are necessary to address this problem, and automation can ensure efficiency across the board. Closing the remediation gap requires companies to leverage automated prioritization and remediation tools and processes that target the vulnerabilities which will most impact systems and business.

Jeff Martin, vice president of products, Mend

Jeff Martin

Jeff has spent the last 20 years in Product roles helping both the organizations he worked for and their customers transform and measure their software risk management processes and practices. He especially enjoys cultural and mindset transformations for their ability to create lasting progress.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.