Are you patching quickly enough? How safe is the software you use? Do you have a system in place to identify vulnerabilities and patch them when they are discovered? How quickly do you react to vulnerability reports? There’s evidence that software vulnerabilities are on the rise, and few companies are taking the necessary action to combat them.There was some worrying news in the recent Secunia Vulnerability Review 2015. The number of recorded vulnerabilities hit a record high of 15,435 last year, up 18% from 2013. The vulnerability count has increased 55% in the last five years. The report also found a rise in the number of zero-day vulnerabilities with 20 being uncovered in the 50 most popular programs. These are vulnerabilities that have already been exploited by hackers before being made public or being patched.Even when vulnerabilities are public, many companies are taking an unacceptably long time to fix them. We’ve discussed the fact that known vulnerabilities pose the biggest IT security threat before. What is causing this complacency?Misplaced trust in open source software?It seems that many businesses are making dangerous assumptions about open source software. The Ninth Annual Future of Open Source Survey from Black Duck offers some fascinating insights. OSS is gaining in popularity quite dramatically, but there’s a lack of policy in place to manage it. An impressive 78% of respondents reported that their companies run part or all of their operations on OSS, but 55% have no formal policy in place to deal with OSS use. There’s a belief that OSS delivers better security than proprietary software, as 55% of respondents cited security as a reason for adopting OSS. That may be true, but it doesn’t mean that OSS is free of vulnerabilities. We all remember Heartbleed, and OpenSSL just released a fix for another high-severity flaw. It takes time and resources just to stay up to date on the latest vulnerabilities and keep software fully patched.According to the survey, more than 50% of respondents are not satisfied with their ability to understand known security vulnerabilities in open-source components. What’s worse – only 17% plan to monitor open source code for security vulnerabilities. That means the majority are content to rely on someone else to find vulnerabilities, and without oversight it’s hard to predict how many vulnerabilities are already being exploited. The open-source model does offer lots of advantages, and OSS adoption will continue to rise in the next few years. But there’s a real danger that this belief in its superior security credentials is causing companies to bury their heads in the sand.The importance of rapid patchingJumping back to Secunia’s report, it’s alarming to find that many organizations simply aren’t taking the threat of software vulnerabilities seriously enough.A number of vendors took weeks to patch Heartbleed. One unnamed vendor took 160 days. If it’s taking that long to patch highly publicized flaws, then you have to wonder how many vulnerabilities are flying under the radar.It’s understandable that companies aren’t committing resources to actively search for flaws, though it’s certainly not advisable. But the failure to patch known vulnerabilities is negligent. These kinds of flaws represent the greatest risk of attack. Cybercriminals and hackers tend to follow the path of least resistance, and that’s often known vulnerabilities.The threat of vulnerabilities is only going to grow as more and more software is rushed out to market. It’s time the enterprise addressed this threat and allotted the necessary resources to patching vulnerabilities at an absolute minimum. Ideally, companies should be monitoring code on an on-going basis to uncover more vulnerabilities. Failure to act could be exposing businesses to serious risk of data leakage, which is expensive and difficult to fix.The opinions expressed in this Blog are those of Michelle Drolet and do not necessarily represent those of the IDG Communications, Inc., its parent, subsidiary or affiliated companies. Related content opinion Diversity in cybersecurity: Barriers and opportunities for women and minorities Increasing the numbers of women and minorities in cybersecurity isn't just good for the individuals involved, it's good for the practice of security. Here's a look at what's holding them back and what can be done about it. By Michelle Drolet Dec 23, 2021 5 mins Diversity and Inclusion Hiring Security opinion 6 steps for third-party cyber risk management If you have third-party partners, you need a third-party cyber risk management program. Here are six key steps to follow. By Michelle Drolet Sep 30, 2021 4 mins Risk Management Security Practices Security opinion 5 open source intrusion detection systems for SMBs If you don’t have a lot of budget at your disposal, these open-source intrusion detection tools are worth a look. By Michelle Drolet Nov 13, 2020 5 mins Intrusion Detection Software Security feature 6 steps to building a strong breach response plan Cybersecurity resilience depends on having a detailed, thorough, and tested breach response plan in place. Here's how to get started. By Michelle Drolet Oct 07, 2020 5 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe