Web app security patches: Closing the risk window

Web application vendors are taking, on average, 11 days to provide critical fixes. Davey Winder thinks that's still too long...

Barry Shteiman, director of security strategy at Imperva, thinks that there's a missing piece in the number puzzle. He thinks there's a link between a two-week fix window to the actual vulnerability and the threat opportunity around it. "A vulnerability being fixed in 14 days only exposes the fact that the vendor has been notified and fixed the code," he says. "It does not cover the time of exposure, which is the critical path here."

Indeed, looking at the annual report from WhiteHat Security from 2013, it's possible to  see a completely different picture. "Last year Imperva and WhiteHat  conducted a mutual effort to realise what the exposure factor is" Shteiman told IT Pro, continuing "we took WhiteHat's number which describes a full window from discovery of the vulnerability, until the fix has actually been applied (a totally different number than just the time it takes the vendor to patch) and the number is 224 days on average."

In order to match the window of exposure vs. hackers, Imperva looked at attack data and found that each application in its Security operations Centre gets attacked on average 176 days out of a 6 months period, which is 98 per cent of the time! These results show that even while customers are patching their applications in a timely fashion, hackers still have the opportunity to try and get in. If an attack happens on average every quarter and less than 60 per cent of that time you are vulnerable, the chances of a breach are huge. "To answer the original question on time-to-patch" Shteiman concludes "I don't believe that the market is there yet with the understanding of what patching really means. This is because patches are either unavailable in a timely manner and/or customers don't know that they are vulnerable to begin with and therefore don't necessarily know of the need for a patch."

What can be done then, to shorten this time-to-patch average and help mitigate the lack of understanding the problem? Traditionally there are two orthogonal measures of resilience: mean time to failure (MTTF) and mean time to repair (MTTR), and patching falls squarely in the mean time to repair category.

"If we lengthen the MTTF by building better quality software in the first place, we end up waiting on the MTTR less," explains Paco Hope, principal consultant at Cigital. "Otherwise, software vendors must build massive regression testing environments and have lots of people ready to drop what they're doing and regression test a proposed fix." That's expensive spare capacity and, the reality of the situation is, we like our software cheap.

Featured Resources

Preparing for AI-enabled cyber attacks

MIT technology review insights

Download now

Cloud storage performance analysis

Storage performance and value of the IONOS cloud Compute Engine

Download now

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

Download now

Harness data to reinvent your organisation

Build a data strategy for the next wave of cloud innovation

Download now

Most Popular

RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Square to acquire Afterpay for $29 billion
mergers and acquisitions

Square to acquire Afterpay for $29 billion

2 Aug 2021
Zyxel USG Flex 200 review: A timely and effective solution
Security

Zyxel USG Flex 200 review: A timely and effective solution

28 Jul 2021