Survey: Organizations Take Too Long to Fix Application Vulnerabilities
A global survey of 902 IT and security professionals finds 80% of respondents work for organizations that have been impacted by an application security incident in the last 12 months, with 36% having to respond to multiple incidents.
Conducted by the Cloud Security Alliance (CSA) in collaboration with Miggo Security, a provider of a platform for applying virtual patches to applications, the survey also finds that 35% of respondents report it takes their teams four to seven days to identify critical vulnerabilities in a production environment. In comparison, 39% require one to three days, with only 9% able to achieve that goal in less than 24 hours.
Miggo Security CEO Daniel Shechter said that at a time when frontier artificial intelligence (AI) models are discovering massive numbers of vulnerabilities that can now be exploited in a matter of hours, it is clear that existing approaches to creating, testing and applying patches to applications are not going to be able to keep pace.
The reasons IT teams have, historically, not been able to apply patches in a timely manner range from a lack of resources to concerns the patch might break the application. In fact, the survey finds risk of disrupting application functionality or business operations (47%), disagreement on vulnerability relevance or exploitability (34%), change management restrictions (24%) and lack of sufficient production context to assess impact (20%) are the primary obstacles encountered.
At the same time, efforts to shift more responsibility for application security left toward software engineering teams are, given the number of incidents, clearly failing, said Shechter. Cybersecurity and IT teams in the age of AI need to be able to address issues in real time without having to wait for application development teams to concur, he added.
Not surprisingly, the most helpful capabilities that survey respondents need are clear proof that the vulnerability can be exploited in production (41%), the ability to mitigate or contain risk without immediate code changes (37%), visibility into the exact code paths and data flows affected (33%) and a reduction in the number of false positives generated by existing tools (18%), the survey finds.
Unfortunately, as more code is created using AI coding tools, the overall level of application security being attained and maintained, at least in the short term, is likely to worsen. Most of the AI models used to generate code were trained using flawed examples of code collected from across the web. As a result, the number of vulnerabilities that are finding their way into codebases has increased. There may come a day when more advanced AI models reduce the total number of vulnerabilities being generated. The survey finds that 96% of respondents have remediated an issue that bypassed pre-production controls, with 46% reporting that issue was not identified prior to deployment, compared to 45% that shipped code with a known issue that arose later.
Couple the increase with the volume of new code and the fact that AI models are also uncovering massive amounts of technical debt involving vulnerabilities in existing applications, and it’s clear that, at least in the immediate future, many cybersecurity and IT teams will be overwhelmed by a sharp increase in the number of vulnerabilities being discovered in production environments.
As a result, the top three capabilities cybersecurity and IT teams are now looking for are the ability to identify risks and vulnerabilities before deployment to production (52%), followed by an ability to mitigate or contain risk without immediate code changes (26%) and better integration with existing tools and platforms (22%). Additionally, 42% of respondents said they expect to increase spending on runtime security in the next 12 to 24 months, the survey finds.
Hopefully, the vulnerabilities now being discovered will not be exploited before being remediated. However, cybersecurity teams, while continuing to hope for the best, would be well advised to now prepare for worst-case scenarios that could have major impacts on the ability of their organization to actually operate.
