Content, Content

Patch Management Failure: Why Known Vulnerabilities Remain Wide Open

What makes security pros so anxious about application security, asks Veracode in the ninth iteration of its State of Software Security report?

“The most important function of an application security program is how effectively flaws are fixed once they are discovered,” the report said. “There is no way to sugar coat it: the sheer volume of flaws and percentage of vulnerable apps remain staggeringly high.”

As we have seen with most high profile security breaches, not patching a new flaw quickly can lead to a data disaster down the road. Indeed, Veracode's research reveals that more than 70 percent of discovered vulnerabilities remain active one month later and some 55 percent are still unpatched three months down the road. It also concluded that DevSecOps unicorns do exist, and they’re fixing flaws 11.5 times faster than the typical organization.

In considering the overall landscape of software security, there’s obvious room for improvement in application security, Veracode said. For example, the rate of Open Web Application Security Project (OWASP) compliance declined for the third year in a row, with OWASP Top 10 initial scan pass rates at 22.5 percent. In addition, roughly 85 percent of all applications have at least one vulnerability and more than 13 percent have at least one very serious flaw.

Here’s some data from the report:

  • One week after first discovery, organizations close out only about 15 percent of vulnerabilities. In the first month, that closure reaches just under 30 percent. By the three-month mark, organizations close less than half (45 percent) of all flaws. It takes 16 months (472 days) to close 75 percent of vulnerabilities.
  • It took organizations an average of 604 days to close 75 percent of low severity flaws.
  • 1 in 4 high and very high severity flaws are not addressed within 290 days of discovery.
  • Flaws persist 3.5x longer in applications only scanned 1 to 3 times per year compared to ones tested 7 to 12 times per year.
  • Infrastructure, manufacturing, and financial industries have the hardest time fully addressing found flaws.
  • The majority of applications suffered from information leakage (67 percent), cryptographic problems (64 percent), poor code quality (63 percent), and CRLF (carriage return line feed or HTTP response splitting) injection (60 percent). SQL injection flaws are still present in 28 percent of applications. Cross site scripting (XSS) vulnerabilities are found in 49 percent of applications.
  • Mitigation/remediation: 52 percent of flaws are fixed, while 44 percent are unresolved and 4 percent are mitigated.
  • Companies in the Asia Pacific region patch 25 percent of bugs within an average of eight days, followed by the Americas in 22 days, and 28 days for organizations in Europe and the Middle East.
  • This year's close rates improved by 12 percent as customers closed almost 70 percent of vulnerabilities they found.

“Contrary to what some security staffers might believe, developers simply can’t wave a magic wand over the portfolio to fix the majority of flaws in an instant, or even in a week,” said Chris Eng, VP of research at Veracode, in the report. “However, our data presents hopeful glimpses at potential prioritizations and software development methods that could help organizations reduce risk more quickly,” he said. “This year’s analysis shows a very strong correlation between high rates of security scanning and lower long-term application risks, which we believe presents a significant piece of evidence for the efficacy of DevSecOps.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.