Exclusive: IT staff take as long as 1 month to fix security flaws
Add Axios as your preferred source to
see more of our stories on Google.
Illustration: Sarah Grillo/Axios
Most IT professionals take as long as one month to patch their systems when they learn of a new critical security flaw, according to a new survey from Synopsys shared first with Axios.
Why it matters: Hackers typically only need a few days to find a way to exploit a newly discovered security vulnerability — leaving the organizations that are slow to patch at high risk for an attack.
- Installing a patch sounds relatively easy, but a good patching program often requires more resources than most companies realize are needed.
By the numbers: 28% of respondents take as much as three weeks to patch a critical security vulnerability.
- Another 20% says their organizations take up to a month, according to the survey.
- Synopsys conducted the survey of 1,000 IT professionals across the U.S., U.K., France, Finland, Germany, China, Singapore and Japan.
What they're saying: "There are multiple different factors involved when it comes to patching, and it's very time consuming," Kimm Yeo, senior solutions manager at Synopsys' software integrity group, told Axios.
- "There are a lot of vulnerabilities sitting in the backlog," she added. "How do you know this is critical enough that you need to give it top priority, especially when there's a lack of security experts or insights into the vulnerability itself?"
The big picture: Much of the modern internet is built on insecure code that's ripe for security vulnerabilities.
- That's partly because of the coding languages some products use, such as less-secure languages like Java and Python.
- And it's also because security can be an afterthought when developers are trying to meet tough production deadlines.
Zoom in: Poor patching is one of the most popular cyber misconfigurations that the nation's top hacking teams see, according to a joint advisory from the NSA and the Cybersecurity and Infrastructure Security Agency last week.
Threat level: Both cybercriminal organizations and nation-state hacking groups benefit from slow patching cadences.
- Banking on slow patching programs, Russian state-backed hackers have found success exploiting so-called "N-day" vulnerabilities — or security flaws that are already publicly known and may have patches available to fix them, according a recent Microsoft report.
- Hackers are have been exploiting a vulnerability in open-source logging tool Log4j nearly two years after its discovery.
