Vulnerability backlogs are too time-consuming to address

Organizations are losing thousands of hours in time and productivity dealing with a massive backlog of vulnerabilities that they have neither the time or resources to tackle effectively, according to a new report.

The State of Vulnerability Management in DevSecOps report from vulnerability management platform Rezilion and the Ponemon Institute, shows 47 percent of security leaders report that they have a backlog of applications that have been identified as vulnerable.

More than half (66 percent) say their backlog consists of more than 100,000 vulnerabilities and the average number of vulnerabilities in backlogs overall is a mind-boggling 1.1 million, according to the data.

Perhaps more concerning is that 54 percent say they were able to patch less than 50 percent of the vulnerabilities in the backlog. Most respondents (78 percent) say high-risk vulnerabilities in their environment take longer than three weeks to patch, with the largest percentage (29 percent) noting it takes them longer than five weeks to patch.

So what stops teams from taking remedial action? An inability to prioritize what needs to be fixed is named by 47 percent, a lack of effective tools (43 percent), a lack of resources (38 percent), and not enough information about risks that would exploit vulnerabilities (45 percent). More than a quarter (28 percent) also say remediation is too time-consuming.

The survey finds 77 percent of respondents say it takes longer than 21 minutes to detect, prioritize, and remediate just one vulnerability in production. This represents more than an hour of time spent on one vulnerability on the production side. On the development side, more than 80 percent of organizations spend longer than 16 minutes to detect one vulnerability in development. Prioritization and remediation times are long too, as 82 percent of respondents say it takes longer than 21 minutes to remediate one vulnerability

“This is a significant loss of time and dollars spent just trying to get through the massive vulnerability backlogs that organizations’ possess,” says Liran Tancman, CEO of Rezilion, which sponsored the research. “If you have more than 100,000 vulnerabilities in a backlog, and consider the number of minutes that are spent manually detecting, prioritizing, and remediating these vulnerabilities, that represents thousands of hours spent on vulnerability backlog management each year. These numbers make it clear that it is impossible to effectively manage a backlog without the proper tools to automate detection, prioritization, and remediation.”

The full report is available from the Rezilion site.

Image credit: