Vulnerability Management Fatigue Fueled by Non-Exploitable Bugs

Software Vulnerabilities

Research shows that companies can have over 100,000 vulnerabilities in their systems, but 85% cannot realistically be exploited

Vulnerability management firm Rezilion commissioned Ponemon Institute to conduct research into the state of vulnerability management, given the known difficulties in timely patching and the continuous growth in the number of new vulnerabilities that need to be patched or otherwise mitigated.

“The survey (PDF) is based on responses from 634 IT and security practitioners, primarily based in North America,” Larry Ponemon, chairman of Ponemon Institute told SecurityWeek. “All of the respondents work in organizations that have an effective DevSecOps program in place. Technically, it has a margin of error of approximately 3.5%.”

One of his biggest concerns is that less than half of the respondents (47%) believe their development team ‘is able to deliver both an enhanced customer experience and secure applications’.

The problem may stem from one of the headline findings of the research: companies are faced with a backlog of 100,000 vulnerabilities within their systems. Not all are exploitable – in fact, 85% cannot or cannot realistically be exploited. Nevertheless, 15,000 remaining vulnerabilities is a frightening number.

“The root cause of the problem,” suggested Liran Tancman, CEO at Rezilion, “is the time it takes to detect, prioritize and remediate each vulnerability. More than half of the respondents [actually 77%] said it takes 21 minutes for each one.”

If you do the math, it would take someone 430 days working 12 hours every day, to clear this backlog even after detecting just the exploitable vulnerabilities. And with more new vulnerabilities being reported every day, this is clearly an unsustainable approach.

The key takeaway from all the statistics uncovered by the research, suggests Tancman, is that respondents feel they lack adequate tooling to solve the problem, and the only real solution is automation.

“This is a significant loss of time and dollars spent just trying to get through the massive vulnerability backlogs that organizations’ possess,” he said. “If you have more than 100,000 vulnerabilities in a backlog, and consider the number of minutes that are spent manually detecting, prioritizing, and remediating these vulnerabilities, that represents thousands of hours spent on vulnerability backlog management each year. These numbers make it clear that it is impossible to effectively manage a backlog without the proper tools to automate detection, prioritization, and remediation.”

Simply relying on third party lists of critical vulnerabilities doesn’t solve the problem. Tancman gave the CISA KEV (known exploited vulnerabilities) list as an example. “Certainly, this is a great place to start,” he said. However, he added, “Take Log4J [CVE-2021-44228, included in the KEV list]. We hear from our customers they may have 10,000 incidences of Log4J, but only 100 are exploitable in their environment. You have them but the specific vulnerable function is not running.”

His point is that such vulnerability lists are a good place to start. “But then understanding what’s really executed in your environment versus what is just sitting there silent and not doing anything, is a way to filter the list.” He went on to mention ‘shadow software’ – software that exists in the system but is not detected by traditional scanners because of the way it’s packaged, causing further difficulties.

Software bill of materials (SBOMs) are a good place to start when examining what is included in an app. “But that’s limited,” he said. “For example, you won’t see things inside containers and, again, many times it’s nested. So, what we do in Rezilion is to look not only on the file system but also in memory. We see everything that is executed all the way to the function level. Even if it’s packaged in a peculiar manner, we will still see it.”

Rezilion’s automated vulnerability solution does three things. “The first one is we create a dynamic software bill of materials that you plug in to your environment and immediately see all the software you have,” said Tancman. “You can search on Log4J and immediately see where you have it.”

The second is vulnerability validation. “We use our runtime intelligence, our understanding of not only what you have, but what it’s actually doing and how it’s executing.” This generally shows that something like 85% of vulnerabilities don’t require fixing because although you have them, they’re not attackable and they’re not exploitable. 

“So, we take this 100,000 vulnerabilities backlog and make it a 15,000 backlog. Then we help with smart remediation. One thing we often see is that when you group those vulnerabilities by software components you can create strategies that just by touching 100 components, you are going to knock out 10,000 vulnerabilities. So, we create a smart remediation strategy that reduces the number of things you must do, and then we also help you apply it with automation. We automatically detect, prioritize and remediate those vulnerabilities. Today we can help reduce between 85% and 95% of the vulnerabilities in the backlog for every customer we see.”

Related: Less Than Half of Vulnerabilities in Popular Docker Images Pose Risk: Study

Related: Library Dependencies and the Open Source Supply Chain Nightmare

Related: Cisco to Acquire Vulnerability Management Firm Kenna Security

Related: Secureworks to Acquire Vulnerability Management Startup Delve Laboratories

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Previous Columns by Kevin Townsend:
Tags:

Tags:
Previous Post

CrowdStrike to Buy Reposify, Invests in Salt Security

Next Post

Will cyber‑insurance pay out? – Week in security with Tony Anscombe

Leave a Reply