We are starting to see some data from the industry about how long it takes most organizations to fix vulnerabilities they’ve identified in their software. Two useful sources are:
These provide information about the prevalence of different types of vulnerabilities as well as how how long vulnerabilities tend to stay in software and is a reflection of the calendar time that these vulnerabilities exist. At Denim Group we have also released some of our data on how long it takes to fix different types of vulnerabilities and our data reflects the level of effort required to make fixes. The data we released can be found online here:
The combination of these types of data sources should be helpful for organizations trying to craft a strategy for addressing vulnerabilities in their software. The data about vulnerability lifespans can help you to benchmark yourself against industry peers and set goals for what sort of exposure window you are willing to accept in your organization (although I would argue that software security vulnerability lifespans are far too long right now). The data about the level of effort required for fixes can help you to plan the resources required for remediation projects. Availability of data sets like this allows security analysts to have “grown up” conversations with management. Think along the lines of “to keep pace with peers in our industry we should be doing these things…” versus “cross-site scripting is scary…” More “grown up” conversations should lead to better-allocated budgets and ultimately to better-managed risk.
dan _at_ denimgroup.com