Rezilion, Ponemon Find Thousands of Hours Lost in Vulnerable Backlog

Rezilion, an automated vulnerability management platform and Ponemon Institute have released of The State of Vulnerability Management in DevSecOps, which reveals organizations lose thousands of hours in time and productivity dealing with a massive backlog of vulnerabilities they have neither the time nor the resources to tackle effectively.

The report highlights 47 percent of security leaders report they have a backlog of applications that has been identified as vulnerable. More than half (66 percent) say their backlog consists of more than 100,000 vulnerabilities and the average number of vulnerabilities in backlogs is a mind-boggling 1.1 million, according to the data. Even more concerning, 54 percent say they could patch less than 50 percent of the vulnerabilities in the backlog. Most respondents (78 percent) say high-risk vulnerabilities in their environment take longer than three weeks to patch, with the largest percentage (29 percent) noting it takes them longer than five weeks.

“We believe the research shines the light on the challenges organizations face in managing their growing backlog of vulnerabilities,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “On average, 1.1 million individual vulnerabilities were in this backlog in the past 12 months and less than half were remediated. Automation, according to the IT security professionals participating in our study, can make a significant difference in the time it takes to remediate vulnerabilities.”

Among factors that keep teams from remediating are an inability to prioritize what needs to be fixed (47 percent), a lack of effective tools (43 percent), a lack of resources (38 percent), and not enough information about risks that would exploit vulnerabilities (45 percent). More than a quarter (28 percent) said remediation is too time-consuming.

Expensive and time-consuming hours are lost trying to wrangle massive backlogs on the production and development side of software applications. The survey finds 77 percent of respondents say it takes longer than 21 minutes to detect, prioritize and remediate just one vulnerability in production. This represents more than an hour of time spent on one vulnerability on the production side.

On the development side, more than 80 percent of organizations spend longer than 16 minutes detecting one vulnerability in development. Prioritization and remediation times are also long as 82 percent of respondents say it takes longer than 21 minutes to remediate one vulnerability in development and 85 percent say it takes longer than 16 minutes to prioritize one vulnerability in development.

“This is a significant loss of time and dollars spent just trying to get through the massive vulnerability backlogs that organizations possess,” said Liran Tancman, CEO of Rezilion, which sponsored the research. ”If you have more than 100,000 vulnerabilities in a backlog, and consider the number of minutes that are spent manually detecting, prioritizing, and remediating these vulnerabilities, that represents thousands of hours spent on vulnerability backlog management each year. These numbers make it clear that it is impossible to effectively manage a backlog without the proper tools to automate detection, prioritization, and remediation.”

Overall, most respondents say it is either very difficult (36 percent) or difficult (25 percent) to remediate vulnerabilities in applications.

“We now have the data to track how much time vulnerabilities are stealing from teams across the Software Development Life Cycle (SDLC) and we know that it is a process that is not working effectively,” said Tancman. “Backlogs cannot continue to be closed in this manner because it extends the attack window for threat actors to exploit unpatched, exploitable vulnerabilities. Security teams and developers clearly need prioritization and automation to make their patching efforts more timely and efficient.”

To download the full report please visit:

Learn more about Rezilion’s software attack surface management platform at to get a 30-day free trial.