IT administrators are not paying enough attention to application bugs.
Speaking at the Black Hat Conference in Las Vegas, Wolfgang Kandek, CTO at Qualys, claimed that the average time between the disclosure of a vulnerability and the time when half of its occurrences have been eliminated (i.e. patched) is 29.5 days.
However the window for the availability of exploits is constantly shrinking as it has reduced to single days. Kandek claimed that the numbers could be better and the reason that they are not is because threats have increased, along with the efforts to mitigate vulnerabilities.
He claimed that the problem is not as bad at the operating system level, as Microsoft Windows patches are typically applied quickly and external services seem to be well protected. Although this is not the case at the application level, Kandek said, as applications do not seem to be receiving enough attention from IT administrators.
Kandek said: “One of the best ways to alleviate exposure is to try to speed up the patch cycle and try to partition vulnerabilities off by addressing problems that pose greatest risk. Security administrators should develop a patching strategy that is based on the risk profile of machines, and segment applications using a tool for automatic application of patches.”