The average period of time it takes for software vendors to fix a critical flaw appears to be going down, according to a recent study. Nonetheless, industry experts are still encouraging focus on software security and mitigating cyberthreats, as malware authors are getting faster at rolling out exploits for unpatched zero-days as well.
The study, from Swiss penetration testing firm High-Tech Bridge, found that the average time it took to patch a critical flaw decreased from 17 days in 2012 to 11 days in 2013. For medium-risk flaws, the average fell from 29 days in 2012 to 13 in 2013, while low-risk flaws saw a similar drop from 48 days to 25 days. Across all three categories, the average time to a patch has improved 33 percent. The sample in the study was limited to 62 security advisories covering 162 vulnerabilities, so the findings are not definitive but are indicative.
At the same time, 11 days may still be too slow for patching a critical vulnerability, High-Tech Bridge CEO Ilia Kolochenko noted. Exploit times are accelerating in tandem with patch times, and patch implementation is often slow, particularly in sensitive cybersecurity contexts such as government agencies or critical infrastructure. Last year, Google released a policy encouraging software vendors to address any critical flaws that were being actively exploited within seven days. The reasoning was that users need a recourse to protect themselves in an increasingly hostile digital environment and that it should be possible to at least release some sort of mitigation even in the compressed timeline.
The lingering threats that remain even in the face of improved patching schedules underscore the need for better underlying security. Fortunately, Kolochenko observed, vendors seem to be taking note.
"General awareness within vendors about the importance of application security is growing, with vendors finally taking security seriously," Kolochenko said. "In the past, even well-known vendors postponed security-related fixes in favor of releasing new versions of their software with new functionality and unpatched vulnerabilities."
High-Tech Bridge CRO Marsel Nizamutdinov encouraged companies to strengthen security during the development process through a combination of automated source code analysis software tools and human code review. A more thorough methodology that combines these practices can help catch errors during the coding process, reducing the need for patches and, accordingly, cutting the cost of rolling out a patch quickly to stymie attackers.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.