Software Security Remediation: Data is Out There – Use It!

We are starting to see some data from the industry about how long it takes most organizations to fix vulnerabilities they’ve identified in their software. Two useful sources are:

These provide information about the prevalence of different types of vulnerabilities as well as how how long vulnerabilities tend to stay in software and is a reflection of the calendar time that these vulnerabilities exist. At Denim Group we have also released some of our data on how long it takes to fix different types of vulnerabilities and our data reflects the level of effort required to make fixes.  The data we released can be found online here:

The combination of these types of data sources should be helpful for organizations trying to craft a strategy for addressing vulnerabilities in their software. The data about vulnerability lifespans can help you to benchmark yourself against industry peers and set goals for what sort of exposure window you are willing to accept in your organization (although I would argue that software security vulnerability lifespans are far too long right now). The data about the level of effort required for fixes can help you to plan the resources required for remediation projects. Availability of data sets like this allows security analysts to have “grown up” conversations with management. Think along the lines of “to keep pace with peers in our industry we should be doing these things…” versus “cross-site scripting is scary”  More “grown up” conversations should lead to better-allocated budgets and ultimately to better-managed risk.

Contact us for help building your organization’s software security remediation strategy.


dan _at_


Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Remediation

Leave a Reply

Your email address will not be published. Required fields are marked *