Why aren’t organisations prioritising their most urgent security risks? asks John Smith, EMEA CTO at Veracode.
Companies are accumulating security risk faster than ever. In fact, this risk is growing at a much faster rate than software vulnerabilities can even be discovered and addressed, resulting in a record level of accumulated security debt and a backlog of unresolved security flaws. Research shows 42 per cent of applications and 71pc of organisations carry security debt – flaws in code that remain unfixed for longer than a year. Not only does this put companies at heightened risk of attacks, but it also stifles innovation by diverting resources from new development to damage control.
In theory, companies could remediate many of these flaws quickly, however, the workload of security and developer teams makes finding flaws and prioritising the most critical vulnerabilities to address challenging. The good news is that the right tools can help not only understand which vulnerabilities present the highest risk, but also how to tackle them.
Of the organisations with security debt, almost half (46pc) have flaws classed as ‘high-severity’, resulting in ‘critical’ security debt. If vulnerabilities are left unresolved, these numbers will continue to climb. So why do businesses struggle to prioritise fixing the riskiest vulnerabilities? The answer is simple: teams endeavour to tackle the growing mountain of security debt manually or without the right tools. Software has become too complex. Security and development teams often attempt to manage growing security debt manually, but demands on their time are simply too great. Security teams are also receiving too many security alerts. Nowadays all teams have multiple, very effective detection tools that are very effective at finding vulnerabilities. The flip side of identifying most flaws, however, is that security teams are often swamped with information.
A mountain of alerts, without enough context to allow overwhelmed security analysts to prioritise the most urgent ones, is counterproductive. Some large organisations have vulnerability backlogs that reach the millions, with more being added every day, so tackling them all is impossible. While all security flaws should be tackled eventually, ‘only’ 15pc of flaws are considered critical, so prioritising them is key for maximum risk reduction.
How ASPM can help
Developer teams already manage an average of 50+ tools across their ecosystems. Many of these tools provide contextual analysis, but often fall short when it comes to reducing security debt.
Security teams need clarity of application risk levels to understand the potential impact of a vulnerability. Just because an exploit is likely to occur, it doesn’t mean it is urgent. Following this logic would incorrectly classify all flaws in code as equally risky and when everything is an emergency, nothing is an emergency. Security and development teams need a clear, comprehensive picture of where issues originate from, how critical they are to the business, and what can be done to remediate them. In addition to automating issue investigation and prioritisation, this allows teams to unify and prioritise security issues from code to cloud.
Application Security Posture Management (ASPM) tools are designed to ingest and combine data from different detection tools and add an extra layer of context other tools can’t provide. ASPM tools do not replace detection tools; they complement them by picking up where they left off, using their findings as the basis for further analysis. By cutting through the clutter and identifying the most urgent vulnerabilities, ASPM helps security teams make the most of their existing detection tools.
Tackling serious risks
Security debt is a pervasive challenge for businesses. While it’s impossible to eliminate all vulnerabilities, understanding and prioritising the most critical flaws is essential. ASPM solutions can be an invaluable ally for both developer and security teams by offering efficiency and precision in addressing vulnerabilities. By identifying, prioritising and tackling vulnerabilities, these solutions empower teams to reduce risk faster, with the least amount of effort. In a world where security debt continues to grow, leveraging ASPM is the key to staying ahead of threats, one vulnerability at a time.
