Thousands of Hours Lost to Vulnerability Backlog Management Annually Due to Lack of Prioritization and Automation: Rezilion and Ponemon Report

Rezilion, an automated vulnerability management platform accelerating software security, and Ponemon Institute announced today the release of “The State of Vulnerability Management in DevSecOps,” which reveals that organizations are losing thousands of hours in time and productivity dealing with a massive backlog of vulnerabilities that they have neither the time or resources to tackle effectively. 

The finds 47% of security leaders report that they have a backlog of applications that have been identified as vulnerable. More than half (66%) say their backlog consists of more than 100,000 vulnerabilities and 54% say they were able to patch less than 50% of the vulnerabilities in the backlog. Thus, most respondents (78%) say high-risk vulnerabilities in their environment take longer than 3 weeks to patch, with the largest percentage (29%) noting it takes them longer than 5 weeks to patch.

Among the factors that keep teams from remediating are an inability to prioritize what needs to be fixed (47%), a lack of effective tools (43%), a lack of resources (38%), and not enough information about risks that would exploit vulnerabilities (45%). More than a quarter (28%) also said remediation is too time-consuming.

Expensive and time-consuming hours are lost trying to wrangle massive backlogs on both the production and development side of software applications. The survey finds 77% of respondents say it takes longer than 21 minutes to detect, prioritize, and remediate just one vulnerability in production. This represents more than an hour of time spent on one vulnerability on the production side.

On the development side, more than 80% of organizations spend longer than 16 minutes to detect one vulnerability in development. Prioritization and remediation times are also long as 82% of respondents say it takes longer than 21 minutes to remediate one vulnerability in development and 85% say it takes longer than 16 minutes to prioritize one vulnerability in development. 

Overall, a majority of respondents say it is either very difficult (36%) or difficult (25%) to remediate vulnerabilities in applications. 

There are some tools and strategies that businesses are relying on with success to move the needle on backlog management. For example, a majority (56%) said they use automation for vulnerability remediation and, of those who do, most say it has yielded significant benefits. When asked how automation has impacted the time it takes to remediate vulnerabilities, 43% said there was a significantly shorter time to respond.

Download a copy of the report today at

And on a related note, Rezilion has done research on the Log4Shell vulnerability. That research can be downloaded here That is worth a read as well.

Leave a Reply

%d bloggers like this: