Your backlog of vulnerabilities could be in the thousands

Security concept
Sheila Zabeu -

September 19, 2022

Can you tell how many vulnerabilities are threatening your IT environment today? Would it freak you out to learn that over half (66%) of security leaders reported that their backlog has over 100,000 identified vulnerabilities and that the average number of vulnerabilities in backlogs overall is 1.1 million, according to a survey released by Rezilion and Ponemon Institute?

And that’s not all, as 54% of respondents said they were able to fix less than 50% of those vulnerabilities in the backlog. The majority (78%) stated that high-risk vulnerabilities took more than 3 weeks to eliminate, while 29% noted a delay of more than 5 weeks to fix the issues.

As if the risks weren’t enough to threaten IT managers, thousands of hours of productivity are also being lost to dealing with this huge backlog of flaws ineffectively. “We believe these figures highlight the challenges organisations face in managing the growing backlog of vulnerabilities. On average, 1.1 million individual vulnerabilities have been on this backlog in the past 12 months, and less than half have been fixed. Automation, according to the IT security professionals who participated in our study, can make a big difference in the time it takes to remediate vulnerabilities,” comments Larry Ponemon, president of the Ponemon Institute.

Research Rezilion Ponemon Institute
Source: Ponemon Institute

Factors that make it difficult to remediate vulnerabilities include the inability to prioritise them (47%), lack of effective tools (43%), resources (38%) and information about threats that exploit such vulnerabilities (45%). More than a quarter (28%) also said that remediation is a time-consuming process.

For example, the survey revealed that 77% of respondents took more than 21 minutes to detect, prioritize and fix just one vulnerability in the production environment. In development environments, about 80 per cent of organizations spent more than 16 minutes to detect a vulnerability; the prioritization and remediation processes are also long – for 82 per cent of respondents, it took more than 21 minutes to remediate a vulnerability, and for 85 per cent, prioritization of vulnerabilities took more than 16 minutes.

“Isso representa é uma enorme perda de tempo e dinheiro apenas tentando reduzir os enormes backlogs de vulnerabilidades das organizações possuem”, afirma Liran Tancman, CEO da Rezilion, patrocinadora da pesquisa.

Organisations are slightly more effective at prioritising the most critical vulnerabilities than they are at fixing them. Common Vulnerability Scoring System (CVSS) vulnerability scoring is the primary method used in prioritisation, followed by proprietary scoring and assessment of exposed critical assets (both with 23% of responses).

primary method for prioritizing vulnerabilities
Source: Ponemon Institute

Overall, most said it is very difficult (36%) or difficult (25%) to fix vulnerabilities in applications, but there are tools and strategies that can help. The majority (56%) commented that automated processes for patching vulnerabilities can bring benefits. For example, when asked how this happens, 43% said that there has been a significant reduction in reaction time.

“We now have the data to track how much time vulnerabilities are stealing from teams across the software development cycle and we know it’s a process that’s not working effectively. Backlogs cannot continue to be handled this way because they widen the attack window for malicious actors who often exploit unpatched vulnerabilities. Security teams and developers need prioritisation and automation tools to make their efforts more effective,” says Tankman.

Recommendations for relieving pressure

This huge backlog of reported vulnerabilities gives a sense of the pressure organizations are under to fix them in a timely manner. Gartner recommends that organizations be prepared to make emergency fixes within hours of vulnerabilities being announced or patches being released, but also invest heavily in mitigation measures. In addition, they should continue to refine the maturity of their non-emergency patching processes.

In basic lines, there are four recommended practices to make the correction processes more effective:

1. Align vulnerability management with risk appetite – Each organisation has its own methods and speed with which it can act. This is partly to do with the company’s operational risk appetite as well as IT resources and capacity to deal with downtime.

2. Prioritise vulnerabilities based on risks – Prioritisation must be implemented in a multi-faceted and risk-based manner, taking into account elements such as failure severity, malicious agent activity, business criticality and threat exposure.

3. Combine compensating controls and remediation solutions – By doing this, you can reduce the attack surface more efficiently and have less impact on operations. In other words, patching is not everything, there are other ways to avoid potential threats rather than trying to fix the flaws.

4. Use automation technologies to analyse vulnerabilities – Review the solutions currently used and make sure they are taking into account the latest asset types such as cloud, containers and cyber-physical systems.