Web app security patches: Closing the risk window

Web application vendors are taking, on average, 11 days to provide critical fixes. Davey Winder thinks that's still too long...

Barry Shteiman, director of security strategy at Imperva, thinks that there's a missing piece in the number puzzle. He thinks there's a link between a two-week fix window to the actual vulnerability and the threat opportunity around it. "A vulnerability being fixed in 14 days only exposes the fact that the vendor has been notified and fixed the code," he says. "It does not cover the time of exposure, which is the critical path here."

Indeed, looking at the annual report from WhiteHat Security from 2013, it's possible to  see a completely different picture. "Last year Imperva and WhiteHat  conducted a mutual effort to realise what the exposure factor is" Shteiman told IT Pro, continuing "we took WhiteHat's number which describes a full window from discovery of the vulnerability, until the fix has actually been applied (a totally different number than just the time it takes the vendor to patch) and the number is 224 days on average."

In order to match the window of exposure vs. hackers, Imperva looked at attack data and found that each application in its Security operations Centre gets attacked on average 176 days out of a 6 months period, which is 98 per cent of the time! These results show that even while customers are patching their applications in a timely fashion, hackers still have the opportunity to try and get in. If an attack happens on average every quarter and less than 60 per cent of that time you are vulnerable, the chances of a breach are huge. "To answer the original question on time-to-patch" Shteiman concludes "I don't believe that the market is there yet with the understanding of what patching really means. This is because patches are either unavailable in a timely manner and/or customers don't know that they are vulnerable to begin with and therefore don't necessarily know of the need for a patch."

What can be done then, to shorten this time-to-patch average and help mitigate the lack of understanding the problem? Traditionally there are two orthogonal measures of resilience: mean time to failure (MTTF) and mean time to repair (MTTR), and patching falls squarely in the mean time to repair category.

Advertisement - Article continues below

"If we lengthen the MTTF by building better quality software in the first place, we end up waiting on the MTTR less," explains Paco Hope, principal consultant at Cigital. "Otherwise, software vendors must build massive regression testing environments and have lots of people ready to drop what they're doing and regression test a proposed fix." That's expensive spare capacity and, the reality of the situation is, we like our software cheap.

Featured Resources

The essential guide to cloud-based backup and disaster recovery

Support business continuity by building a holistic emergency plan

Download now

Trends in modern data protection

A comprehensive view of the data protection landscape

Download now

How do vulnerabilities get into software?

90% of security incidents result from exploits against defects in software

Download now

Delivering the future of work - now

The CIO’s guide to building the unified digital workspace for today’s hybrid and multi-cloud strategies.

Download now

Most Popular

digital transformation

Boston Dynamics dog-like robots sniff out bombs for Massachusetts police

26 Nov 2019
Google Android

Samsung Galaxy A90 5G review: Simply the best value 5G phone

22 Nov 2019
Mobile Phones

Samsung sails past Apple's market share despite smartphone market slump

28 Nov 2019
mergers and acquisitions

Xerox to pursue hostile HP takeover after $30bn gambit fails

28 Nov 2018