Talking with SANS About Remediation
I recently had the opportunity to speak with the folks at the SANS Institute about some of the software remediation statistics we’ve released.
We’ve been saying for a while that software vulnerability remediation is the next big problem in the application and software security space. Finding vulnerabilities isn’t the problem – fixing them is. And it isn’t just the mechanics of fixing the vulnerabilities – although lots of organizations have problems with that as well. Rather it is the risk-ranking and prioritization of those vulnerabilities and the justification of diverting expensive developer-hours away from building new features toward addressing technical debt that has grown up over time. (See Jeremiah Grossman‘s recent blog post “Web Developer Resources are Scarce, Security is a Trade-Off” for a succinct description of the problem)
These remediation stats don’t provide an easy answer to those problems, but they do start to provide a quantitative basis for organizations to understand likely costs and test out different scenarios. “What would it cost to get rid of SQL injection company-wide?” “How long will it take us to get rid of all Critical and High vulnerabilities?” “Is the estimate provided by the development team unrealistic?” Every organization is going to have to make their own decision about how to move forward; hopefully these stats put them in a better position to make that decision an informed one.
See the full SANS “Ask the Expert” exchange here.
Also you can see the all of the data we’ve released in the RSA presentation “Remediation Statistics: How Much Does Fixing Application Vulnerabilities Cost” here:
dan _at_ denimgroup.com