Most enterprise vulnerabilities remain unpatched a month after discovery

More bugs are being squashed by the enterprise, but the time it takes to do so leaves organizations at risk.

The majority of vulnerabilities remain unpatched by the enterprise a month after discovery, researchers have found.

According to CA Veracode's latest State of Software Security (SOSS) report, up to 70 percent of bugs remain unpatched four weeks after disclosure, and close to 55 percent are not resolved three months after discovery.

Vulnerabilities impacting organization networks, apps, and infrastructure are not all equal, and part of responsible security practices require that IT staff triage issues to resolve and patch the bugs which are considered the most dangerous to that company.

However, according to the cybersecurity firm, 25 percent of vulnerabilities which are attributed high-severity ratings are not addressed within 290 days, and a quarter of disclosed bugs which may not be so critical remain unpatched well after a year.

In total, Veracode says that approximately one in four vulnerabilities are resolved within 21 days, but this still potentially leaves open a channel for successful cyberattacks.

As we saw in the case of the Equifax data breach, in which 146 million customer records were exposed, a failure to patch within a reasonable time frame can have disastrous consequences for a company.

See also: The most interesting Internet-connected vehicle hacks on record

The credit monitoring service's data breach was due to the exploit of a vulnerability in the Apache Struts framework, CVE-2017-5638, of which a patch had been made available months before the cyberattack.

An interesting aspect of the report is the regional differences which appear to exist when it comes to vulnerability remediation. Companies in the Asia Pacific (APAC) region are the quickest to act, patching a quarter of bugs within an average of eight days. This is followed by 22 days for the US, and 28 days for organizations in Europe and the Middle East (EMEA).

While rapid response appears to be a strength of the APAC region, this response does not take into account all relevant vulnerabilities. It takes an average of 413 days for firms in the US to resolve up to 75 percent of bugs, and double the time for companies in APAC and EMEA to follow suit.

Apps, on the whole, remain vulnerable, with at least 80 percent of applications containing at least one vulnerability, and over 30 percent of these are considered high severity.

screen-shot-2018-10-24-at-12-29-03.png

When it comes to open-source security, the enterprise still needs to improve. According to the research, over 85 percent of apps used by corporations contain at least one vulnerability -- and while this isn't necessarily an issue if they are low-impact, 13 percent are considered high-risk.

TechRepublic: How RATs infect computers with malicious software

However, the enterprise cannot be expected to resolve every security flaw or bug as soon as it is publicly disclosed. Companies are not only using a wide array of services and apps but may also be using open-source components and libraries -- which creates a vast potential attack surface for them to keep an eye on.

Despite these challenges, the report suggests that the state of cybersecurity in the enterprise is slowly improving.

In total, it is estimated that 69 percent of vulnerabilities are eventually closed through either remediation or mitigation, which is an increase of 12 percent year-on-year.

CNET: White House wants to borrow tech workers from Google, Amazon, says report

"Security-minded organizations have recognized that embedding security design and testing directly into the continuous software delivery cycle is essential to achieving the DevSecOps principles of balance of speed, flexibility, and risk management," says Chris Eng, vice president of Research at CA Veracode. "These incremental improvements amount over time to a significant advantage in competitiveness in the market and a huge drop in risk associated with vulnerabilities."

Previous and related coverage