How to Improve Vulnerability Management in the SDLC 

Abraham Smith

Organizations face major challenges with vulnerabilities throughout the software development lifecycle (SDLC). According to a new Ponemon Institute survey commissioned by Rezilion, many still spend significant time identifying and prioritizing a vulnerability in both development and production, suggesting that vulnerability management can be improved.

On average, nearly half (47%) of respondents said it takes more than 30 minutes to detect a production vulnerability, and 26% said it takes more than 30 minutes to detect a vulnerability in the to recognize development.

It lacks vulnerability management features

Respondents were asked to rate on a scale of one to ten how effective their organization is at prioritizing the most critical vulnerabilities. Only 29% said their organization is very effective at doing this.

Also on a scale of one to 10, 30% said their organization is effective at patching vulnerabilities in a timely manner.

Prioritizing and fixing vulnerabilities is a struggle

Forty percent of respondents say it takes an average of more than 30 minutes to prioritize a development vulnerability.

Slightly fewer (36%) said it takes an average of more than 30 minutes to prioritize a production vulnerability. 41 percent said it takes between 21 and 30 minutes to prioritize.

When it comes to fixing a vulnerability in development, 45% said it takes between 21 and 30 minutes, while 37% said it took more than 30 minutes.

On average, 45% of respondents said it takes more than 30 minutes to fix a production vulnerability, while 32% said it takes between 21 and 30 minutes.

The survey also detailed the detection of a single vulnerability by IT/infrastructure engineers and vulnerability management teams.

32% of respondents said it takes an average of 5 to 10 minutes for IT/infrastructure engineers to identify a vulnerability, while 25% said it takes less than five minutes.

On average, 33% said it takes an average of five to 10 minutes for a vulnerability to be detected by vulnerability management teams, while 32% said it takes less than five minutes.

When it comes to IT/infrastructure engineers prioritizing a vulnerability, 26% said it would take more than 30 minutes, while 23% said it would take between 21 and 30 minutes.

On average, 32% of vulnerability management teams take less than five minutes, while 24% say it takes between five and 10 minutes.

When it comes to IT/infrastructure engineers remediating a vulnerability, on average 39% said it took between five and 10 minutes, while 21% said it took less than five minutes.

33 percent said it takes vulnerability management teams an average of 11 to 15 minutes to remediate a vulnerability.

The answers to the question “How long does it take, on average, when you discover a critical or high-risk vulnerability in your environment?” and 13% said nine weeks.

Automation is key to improving vulnerability management in the SDLC

About 65% of respondents said the ability to test as part of the workflow, rather than stop development, test, fix and restart, is either important or very important.

Following this, 61% said automating vulnerability scans and remediation is either important or very important at every stage of the SDLC.

Automation definitely strikes. When asked “Does your organization use automation to help with vulnerability management?” 56% answered “Yes”.

Among those who answered yes, they were asked the follow-up question, “What steps do you automate?” The answers were patching (59%), prioritization (47%), and reporting (41%).

When asked “How has automation affected the time it takes to remediate vulnerabilities?”, 43% said it significantly reduced response time.

The Ponemon Institute surveyed 634 IT and IT security professionals who are knowledgeable about their organizations’ attack surface and the effectiveness of managing vulnerabilities. Read the full report, The State of Vulnerability Management in DevSecOps, today.

How to Improve Vulnerability Management in the SDLC was first published on Rezilion.

*** This is a syndicated blog from Rezilion’s Security Bloggers Network, written by Rezilion. Read the original post at: https://www.rezilion.com/blog/how-to-improve-vulnerability-management-in-the-sdlc/

Leave a Reply

Your email address will not be published. Required fields are marked *