The average time to weaponize a new bug is seven days. that means that you have about half that time to harden your system to that attack. Almost no one regularly patches serious bugs that quickly. In 2019 Threatpost said that it took organizations 102 days to patch (see link above). That was in 2019.
What has happened since then?
NTT Application Security says that the average time to fix is on the rise while the time for severe bugs is down a little bit.
NTT says the average time to fix vulnerabilities has dropped since last month from 205 days to 202 days.
Note that is basically double what it was in 2019. Down is a relative term.
That number is actually up since January 1. In January the average time was 197 days.
The average time to patch “high” vulnerabilities grew from 194 days in January to 246 days in June.
Remediation rates for critical vulnerabilities fell from 54% in January to 48% in June. The rate for high vulnerabilities fell from 50% at the beginning of the year to 38% at the end of June.
NTT is in the business of managing companies security, so they have a lot of actual data.
More than 65% of applications in the utilities sector had at least one serious bug throughout the year – exploitable bugs.
Given that it takes hackers no more than 7 days to figure out how to exploit bugs and it takes businesses 200+ days to deploy patches, it is not surprising that hackers can take down a gasoline pipeline or almost poison a water supply. Or ransom thousands of companies.
Even if the numbers were flat since January, which they are not, that still means 7 days for the hackers, 200 days for the defenders.
And the part about 65% of the applications in the utility sector were not fully patched during the entire year. That’s pretty scary.
Of course, there is almost no consequence for businesses to ignore the problem.
After all, they are the victims.
I’m not so sure.