25% of software vulnerabilities remain unpatched for more than a year

Smaller organizations are more agile at patching vulnerabilities, and vendor support goes a long way in easing patching, according to a report from Kenna Security and the Cyentia Institute.

What to include in an enterprise cybersecurity plan At RSA 2019, Steve Martino of Cisco discussed the top cybersecurity threats businesses are facing, and how to help employees improve their security posture.

Applying patches to vulnerabilities in products is not uniformly easy, according to a report from Kenna Security and the Cyentia Institute published Tuesday analyzing how some 300 organizations handle the neverending onslaught of patches and mitigations.

The duo propose the metric of "remediation velocity" to measure the survival timeline of vulnerabilities, focusing on a measurement of how many days it takes to reach 25%, 50%, or 75% of vulnerabilities closed, measured in a particular aspect. Across all of the organizations analyzed, it took an average of 26 days to reach 25% closed, 100 days to reach 50% closed, and 392 days to reach 75%.

SEE: Open source vs. proprietary software: A look at the pros and cons (Tech Pro Research)

There are a variety of factors—severity, difficulty of exploitation, existence of a proof-of-concept—that influence how quickly vulnerabilities can be addressed inside an organization. Foremost among those are the utilities provided by vendors to apply patches. In a comparison of vendors, Microsoft comes out far ahead of others, enabling organizations to patch 25% of vulnerabilities within 14 days, 50% within 37 days, and 75% within 134 days. Google comes in second among the listed vendors for organizations to patch, taking 15, 63, and 229 days to reach milestones of 25%, 50%, and 75%, respectively.

Popular Linux distribution Debian is in third, at 22, 93, and 286 days, modestly ahead of commercial Linux distribution Red Hat at 27, 102, and 325 days. Strangely, it takes organizations far longer to patch Ubuntu than Debian, at 180, 287, and 1345 days. Ubuntu exists downstream from Debian, and use the same package manager, making the disparity difficult to explain.

The either unattended or too-fragile-to-patch make up the rest of the pack, with Apache, Cisco, Oracle, HP, and IBM products left relatively unprotected. The report notes that "there are many possible reasons behind these dramatic differences. Java (Oracle) is notoriously hard to fix without breaking something. Apple might have fewer vulnerabilities than Microsoft, but their enterprise management support lags. Google updates frequently, but many forget to restart their browsers. Overall, though, we view [these results] as strong evidence in favor of scheduled releases and the automated distribution of patches."

Vulnerabilities across all vendors with known exploits were found to be patched more quickly. Vulnerabilities with known exploits were patched in 20, 63, and 248 days, while those without were patched in 27, 111, and 426 days to reach 25%, 50%, and 75% thresholds, respectively.

Smaller organizations were observed to patch vulnerabilities faster, for which the report states "many assume fewer resources would translate to reduced capacity to remediate vulnerabilities, smaller firms generally reach each time-to-fix milestone faster than their medium and large counterparts... [the finding] probably says less about remediation capacity and more about the compounding difficulty of managing larger IT environments."

Also see