Web app security patches: Closing the risk window

Web application vendors are taking, on average, 11 days to provide critical fixes. Davey Winder thinks that's still too long...

Barry Shteiman, director of security strategy at Imperva, thinks that there's a missing piece in the number puzzle. He thinks there's a link between a two-week fix window to the actual vulnerability and the threat opportunity around it. "A vulnerability being fixed in 14 days only exposes the fact that the vendor has been notified and fixed the code," he says. "It does not cover the time of exposure, which is the critical path here."

Indeed, looking at the annual report from WhiteHat Security from 2013, it's possible to  see a completely different picture. "Last year Imperva and WhiteHat  conducted a mutual effort to realise what the exposure factor is" Shteiman told IT Pro, continuing "we took WhiteHat's number which describes a full window from discovery of the vulnerability, until the fix has actually been applied (a totally different number than just the time it takes the vendor to patch) and the number is 224 days on average."

In order to match the window of exposure vs. hackers, Imperva looked at attack data and found that each application in its Security operations Centre gets attacked on average 176 days out of a 6 months period, which is 98 per cent of the time! These results show that even while customers are patching their applications in a timely fashion, hackers still have the opportunity to try and get in. If an attack happens on average every quarter and less than 60 per cent of that time you are vulnerable, the chances of a breach are huge. "To answer the original question on time-to-patch" Shteiman concludes "I don't believe that the market is there yet with the understanding of what patching really means. This is because patches are either unavailable in a timely manner and/or customers don't know that they are vulnerable to begin with and therefore don't necessarily know of the need for a patch."

What can be done then, to shorten this time-to-patch average and help mitigate the lack of understanding the problem? Traditionally there are two orthogonal measures of resilience: mean time to failure (MTTF) and mean time to repair (MTTR), and patching falls squarely in the mean time to repair category.

"If we lengthen the MTTF by building better quality software in the first place, we end up waiting on the MTTR less," explains Paco Hope, principal consultant at Cigital. "Otherwise, software vendors must build massive regression testing environments and have lots of people ready to drop what they're doing and regression test a proposed fix." That's expensive spare capacity and, the reality of the situation is, we like our software cheap.

Featured Resources

Shining light on new 'cool' cloud technologies and their drawbacks

IONOS Cloud Up! Summit, Cloud Technology Session with Russell Barley

Watch now

Build mobile and web apps faster

Three proven tips to accelerate modern app development

Free download

Reduce the carbon footprint of IT operations up to 88%

A carbon reduction opportunity

Free Download

Comparing serverless and server-based technologies

Determining the total cost of ownership

Free download

Most Popular

What should you really be asking about your remote access software?
Sponsored

What should you really be asking about your remote access software?

17 Nov 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

30 Nov 2021
Access brokers are making it easier for ransomware operators to attack businesses
cyber security

Access brokers are making it easier for ransomware operators to attack businesses

1 Dec 2021