"DevSecOps Overwhelmed by Backlogs, Significant Time and Money Being Lost to Vulnerability Management"
A new report from the vulnerability management platform Rezilion and the Ponemon Institute finds that vulnerability backlogs are overwhelming DevSecOps, with nearly half of those who participated in the survey reporting backups of 100,000 to 1.1 million vulnerabilities. A little more than half of the firms say they have been able to clear less than half of these backlogs. Over 16,500 IT leaders and experts from various organizations that have either implemented DevSecOps or are in the process of adopting a DevSecOps approach participated in the "The State of Vulnerability Management in DevSecOps" study. Findings indicate that backlogs for vulnerability management are enormous, and they are not shrinking. Of the study participants, 66 percent have at least 100,000 vulnerabilities in their backlog, 25 percent have more than a million, and 8 percent have more than five million. About 47 percent say that in the last year, they identified vulnerable applications but did not remediate them. On average, organizations are now satisfied if they can mitigate just 29 percent of their vulnerabilities. Response time is another significant vulnerability management issue. In regard to production, 77 percent of respondents say it takes more than 21 minutes to detect and remediate each individual vulnerability. In terms of development, 80 percent of respondents say it takes at least 16 minutes each time. According to organizations, the most pressing issue is a lack of appropriate security tools, followed by an inability to integrate workflows and the need to address an already massive vulnerability backlog. Only slightly more than half of respondents believe their teams are aligned in understanding overall security posture and responsibilities. This article continues to discuss key findings from the new report on the state of vulnerability management in DevSecOps.