Archive for Rezilion

Rezilion Expands Dynamic SBOM Capability To Support Windows Environments

Posted in Commentary with tags on November 9, 2022 by itnerd

Rezilion has announced today the expansion of its Dynamic Software Bill of Materials (SBOM) capability to support Windows environments. Through this expansion, Rezilion will provide organizations with a first-of-its-kind toolset to efficiently manage software vulnerabilities and meet new regulatory standards, for the 56% of software today that’s built for Windows OS.

While many tools exist for organizations to manage vulnerabilities in their software, the vast majority of these were initially built for use with Linux OS, resulting in gaps in functionality when they’re used for Windows. A dearth of “Windows-first” tooling also affects organizations’ preparedness to comply with new regulations such as the President’s Executive Order (EO) 14028, which will require teams to provide regulators with a thorough inventory of their software environments and related vulnerabilities.The market has been alarmingly slow to respond to this increasingly urgent need for better solutions. As evidence of this, Microsoft itself released its first, basic, open source “Windows-first” SBOM generation tool as recently as July of this year.

As a result of these gaps, for organizations with large, legacy Windows environments (including critical infrastructures), a new threat on the scale of the “Y2K” scare of the late 1990’s is emerging. Be it attackers or regulators, these organizations must modernize their security standards, or suffer consequences of looming risks ahead.

First released in May, Rezilion’s Dynamic SBOM can be deployed in all software environments – both Windows and Linux simultaneously – and provides a real-time versus static inventory of all software components in a single graphical UI. Rezilion’s solution also integrates dynamic runtime analysis to not only detect software vulnerabilities, but validate their actual exploitability, helping teams to clear away “false-positive” scan results and avoid wasteful patching work that shifts resources away from build activity.

Other key features and capabilities include:

Dynamic Identification – Instantly search and pinpoint vulnerable components such as Log4J across millions of files and onthousands of hosts, containers, and applications.

Holistic Insight & Control – View Windows and Linux risk side by side in one UI, to get a complete picture of your attack surface,manage risk efficiently and comply with auditors

Tackle Legacy Vulnerability Backlogs Efficiently – Aggregate detected vulnerabilities, filter out false-positives and prioritize what matters to address risks quickly and meet modern remediation SLAs as defined by CISA with a fraction of the effort

Learn more about Rezilion’s Dynamic SBOM at https://www.rezilion.com/platform/dynamic-sbom/.

Book a demo today to learn more about Rezilion’s Windows software security solutions at https://www.rezilion.com/lp/windows-security-demo/.

New Vulnerability Scanner Benchmark Report: Only 73% Precisely Identify High & Critical-Severity Vulnerabilities

Posted in Commentary with tags on October 26, 2022 by itnerd

Rezilion has released a new report, the Vulnerability Scanner Benchmark, which reveals that end-users are dealing with a lack of transparency and only partially effective vulnerability scanning performance. 

In his research, Yotam Perkal, Director of Vulnerability Research of cybersecurity firm Rezilion, found that:

  • Only 73% returned relevant results out of all vulnerabilities that should have been identified.
  • Only 82% were identified correctly, regardless of vulnerabilities scanners failed to report.
  • Over 450 high and critical-severity vulnerabilities were misidentified across the 20 containers.
  • On average, the scanners failed to find over 16 vulnerabilities per container.

You can read the report here.

Thousands of Hours Lost to Vulnerability Backlog Management Annually Due to Lack of Prioritization and Automation: Rezilion and Ponemon Report

Posted in Commentary with tags , on September 14, 2022 by itnerd

Rezilion, an automated vulnerability management platform accelerating software security, and Ponemon Institute announced today the release of “The State of Vulnerability Management in DevSecOps,” which reveals that organizations are losing thousands of hours in time and productivity dealing with a massive backlog of vulnerabilities that they have neither the time or resources to tackle effectively. 

The finds 47% of security leaders report that they have a backlog of applications that have been identified as vulnerable. More than half (66%) say their backlog consists of more than 100,000 vulnerabilities and 54% say they were able to patch less than 50% of the vulnerabilities in the backlog. Thus, most respondents (78%) say high-risk vulnerabilities in their environment take longer than 3 weeks to patch, with the largest percentage (29%) noting it takes them longer than 5 weeks to patch.

Among the factors that keep teams from remediating are an inability to prioritize what needs to be fixed (47%), a lack of effective tools (43%), a lack of resources (38%), and not enough information about risks that would exploit vulnerabilities (45%). More than a quarter (28%) also said remediation is too time-consuming.

Expensive and time-consuming hours are lost trying to wrangle massive backlogs on both the production and development side of software applications. The survey finds 77% of respondents say it takes longer than 21 minutes to detect, prioritize, and remediate just one vulnerability in production. This represents more than an hour of time spent on one vulnerability on the production side.

On the development side, more than 80% of organizations spend longer than 16 minutes to detect one vulnerability in development. Prioritization and remediation times are also long as 82% of respondents say it takes longer than 21 minutes to remediate one vulnerability in development and 85% say it takes longer than 16 minutes to prioritize one vulnerability in development. 

Overall, a majority of respondents say it is either very difficult (36%) or difficult (25%) to remediate vulnerabilities in applications. 

There are some tools and strategies that businesses are relying on with success to move the needle on backlog management. For example, a majority (56%) said they use automation for vulnerability remediation and, of those who do, most say it has yielded significant benefits. When asked how automation has impacted the time it takes to remediate vulnerabilities, 43% said there was a significantly shorter time to respond.

Download a copy of the report today at https://www.rezilion.com/lp/its-about-time-ponemon-survey/.

And on a related note, Rezilion has done research on the Log4Shell vulnerability. That research can be downloaded here https://www.rezilion.com/lp/log4shell-4-months-later/. That is worth a read as well.