Cybersecurity Awareness Month: Time for a reminder about your vulnerability backlog

It’s that time of year again! While you’re polishing off last year’s Cybersecurity Awareness Month PSA about password strength, it might also be time for you to take a look at your own best practices. While we know that every Patch Tuesday may bring about new headaches for your organization, it’s still important to understand your security posture with regard to vulnerability management.

Why does your vulnerability backlog keep growing?

Every application has various dependencies — for example, the drivers in your video card might depend on elements of the Windows operating system in order to display images. If a security update to the operating system breaks those dependencies, then your users will wake up to malfunctioning hardware.

You can roll back your drivers or OS version to fix the initial issue, but then you need to wait for someone to release an updated patch that supports your hardware. If your organization is a school or a small business running hardware that’s past end-of-life, you may be out of luck. Even large enterprises may find their patch management programs delayed indefinitely due to seemingly more important concerns.

Meanwhile, your vulnerabilities are still exploitable.

Vulnerabilities are becoming more vulnerable

Bad actors are taking notice of the time it takes for organizations to effectively patch their infrastructure. It used to take attackers around 63 days post-discovery to begin exploiting a zero-day vulnerability. That timeline has decreased to an average of 32 days. Meanwhile, unpatched vulnerabilities are the source of over 60% of data breaches.

Adding to the concerns of security administrators, vulnerabilities are being discovered at an increasing rate. In 2024, researchers discovered 61% more vulnerabilities than in previous years, and the number of exploited vulnerabilities rose 96%. This may have something to do with the rise of “vibe-coded software,” which is partially or totally generated by AI.

While AI-written code contains errors at approximately the same rate as human-written code,  AI makes it easy to write more code faster — and more code means more vulnerabilities in total. In addition, developers may have unrealistic faith in the ability of AI to write secure code. This means they can forget to check for vulnerabilities, which then make it into production software.

How do you find unpatched common vulnerabilities and exposures (CVEs)?

Now that you’re aware that unpatched vulnerabilities can plague even the most mature organizations with the newest applications, how do you do things differently?

Let’s start by saying that it’s entirely possible for an organization to forget that it has an unpatched application. If you’re still using spreadsheets to keep track of patches and someone doesn’t update a row, that information could be lost.

Because of this, beginning or revamping your patch management strategy will usually start with asset management. You will need a list of all the software you’re currently running, and then you’ll need to match version numbers between what’s running on your infrastructure and the most up-to-date version from the manufacturer.

Lastly, not every unpatched application contains a critical vulnerability. For that reason, it’s useful to cross-reference your out-of-date software with the CVE database, a community-supported archive of known vulnerabilities.

What happens after you identify unpatched applications?

It may be that you have dozens of unpatched applications. For some of them, the fix may be as simple as downloading and installing the patch — but even if it’s that clear-cut, you still may need to test the patch before pushing it to production. This takes valuable time.

Other unpatched applications may remain unpatched, either because the manufacturer never released a patch or because the most up-to-date version is still incompatible with your hardware. Here, you’ll need to improvise protections, such as placing the application in a secure subnet.

It will be very important for you to prioritize your efforts — because you almost certainly won’t have enough time to patch every application.

Prioritizing your unpatched vulnerabilities

Security researchers often combine two rubrics to help prioritize patch management. The  Common Vulnerability Scoring System (CVSS) is developed by the National Infrastructure Advisory Council with the aim of characterizing the severity of software vulnerabilities on a scale from zero to ten. However, the CVSS is not designed to form a sole basis for prioritizing vulnerability management.

The Exploit Prediction Scoring System (EPSS) ranks CVEs based on whether they are likely to be exploited. EPSS uses a mathematical model that calculates the relationship between exploitation activity and the severity of an exploit. With this information, it can forecast whether a large number of bad actors will attempt to exploit a vulnerability in the next 30 days.

Surprisingly, there’s not a huge overlap between EPSS and CVSS scores. Research shows that attackers often don’t prioritize the most severe vulnerabilities or even the ones that are easiest to exploit.

All this being said, security directors should cast a wide net for security intelligence and use their own judgement when prioritizing vulnerability management. If a vulnerability scores highly on both EPSS and CVSS, then it should definitely be managed first. But sometimes you may find that a high-scoring vulnerability affects a relatively trivial application, or one that’s already located on a screened and monitored subnet. If that’s the case, you may wish to pursue other weaknesses first.

Keeping up with vulnerability management: What’s next?

Vulnerability management isn’t a one-and-done project. Ideally, it’s performed on a continuous basis — and you should probably use something more advanced than a spreadsheet.

In an ideal world, you’ll employ a solution that performs proactive vulnerability scanning. Security solutions in this category regularly scan your network and audit your active applications, mitigating the days of work necessary to perform a manual software audit. In addition, new vulnerabilities will be automatically flagged and ranked by severity, taking much of the guesswork out of prioritization.

Heuristic — aka behavior-based — intrusion prevention systems are a useful complement to vulnerability management. These tools recognize the symptoms of a cyberattack, such as large numbers of files being created, encrypted or deleted. Then they intervene to lock down suspicious activities. In the event that you haven’t yet remediated a vulnerability (or if you don’t know that one exists, such as in a zero-day threat), these tools will provide a second line of defense.

Conquer patch fatigue with Barracuda

Managed Vulnerability Security is a new offering from Barracuda that offloads the burden of defending against severe exploits. This service combines regular vulnerability scans with the timely intervention of our expert Security Operations Center (SOC). Our fully managed service allows you to benefit from expert oversight without adding to your existing workload — while eliminating your vulnerability backlog. Schedule a conversation and learn how Barracuda can help you unlock your cyber resilience.