“The State of Vulnerability Management in DevSecOps,” a new large-scale study from the Ponemon Institute and Rezilion that incorporated input from over 16,500 IT professionals, indicates that huge vulnerability backlogs have become the norm for organizations. DevSecOps is supposed to provide an answer to this, but most organizations are struggling to get their programs to a mature state.
About half of the survey respondents said that their organizations are sitting on backlogs of at least 100,000 vulnerabilities, and a portion of these range up into the millions. And backlogs are growing, as more than half say they are struggling to keep pace; in some cases, the existing backlog is a major barrier to getting DevSecOps functioning properly.
Strong interest in DevSecOps, but implementation still a challenge
Most of the organizations surveyed say that they have their DevSecOps developed to at least some degree, but only 29% classify it as being in a mature state. 31% say that they have just started with it.
Organizations are most drawn to DevSecOps by the promise of better collaboration between departments, faster patch times and better software security without slowing the development cycle. However, only 19% cited their vulnerability backlogs as a reason for implementing it. And when asked what the biggest barriers were to implementing DevSecOps, the third most common answer was that the existing vulnerability management backlog was already too big.
A feeling that security software is inadequate to the task is also common among respondents. More than half of respondents feel their tools are too complex, and just under half say that they have problems with scaling and that there are interoperability issues. Organizations are clearly willing to spend on this, with only 18% saying that cost is an issue for them, but they are still somehow not coming across the right combination of software. This is becoming an increasing strain on organizations as the tendency is to “shift left” to making app developers primarily responsible for security, and the developers rely on being provided with an effective toolkit.
Vulnerability management becoming too onerous for many organizations
As mentioned, the majority of companies have heavy vulnerability management backlogs and are struggling to address them. 66% report at least 100,000 in their backlog, and 33% have at least one million. Organizations tend to report that getting to just about one-third of their vulnerabilities has become an acceptable rate. Response times are contributing to this issue, with both production and development seeing average times of around 20 minutes to remediate each vulnerability.
Vulnerability management programs are interested in DevSecOps as an automation solution to these issues, but continue to struggle with getting it to work right. Over half of the respondents say that teams do not fully understand their individual responsibilities in the system and overall security posture, and almost half are not confident in the development team’s ability to implement appropriate security in the final product.
Most organizations also report problems tracking and identifying vulnerabilities, though they say that patching is an even more time-consuming problem. Another major issue in this area is being able to halt everyday work functions for long enough to implement needed patches.