"Backlogs Larger Than 100K+ Vulnerabilities but Too Time-Consuming to Address"
A report titled "The State of Vulnerability Management in DevSecOps" released by Rezilion and Ponemon Institute reveals that organizations are losing thousands of hours in time and productivity due to a massive backlog of vulnerabilities. Of the security leaders surveyed, 47 percent report having a backlog of applications that have been identified as vulnerable. Among those who reported having a backlog of vulnerable applications, 66 percent report that their backlog contains more than 100,000 vulnerabilities, and 54 percent report that they have patched less than 50 percent of the vulnerabilities in their backlog. Thus, 78 percent of respondents say high-risk vulnerabilities in their environment take more than three weeks to patch, and 29 percent say it takes more than five weeks. The inability to prioritize what needs to be fixed (47 percent), a lack of effective tools (43 percent), a lack of resources (38 percent), and a lack of information about risks that would exploit vulnerabilities (45 percent) are among the factors preventing teams from remediating. Of the respondents, 77 percent say it takes more than 21 minutes to detect, prioritize, and remediate a single vulnerability in production, which equates to more than an hour spent on a single vulnerability on the production side. On the development side, over 80 percent of organizations spend more than 16 minutes detecting a single vulnerability. Prioritization and remediation times are also lengthy, with 82 percent of respondents reporting that it takes more than 21 minutes to remediate one development vulnerability and 85 percent reporting that it takes more than 16 minutes to prioritize one vulnerability in development. This article continues to discuss key findings from the report on vulnerability management in DevSecOps.