Updated research of the largest base of real-world vulnerability data
Posted on 23 April 2009.

Wolfgang Kandek, CTO of Qualys, today unveiled Laws of Vulnerabilities 2.0 derived from the industry’s largest vulnerability dataset.

The Laws 2.0 reveals vulnerability half-life, prevalence, persistence and exploitation trends for five critical industry segments including Finance, Healthcare, Retail, Manufacturing and Services. These trends were drawn from a statistical analysis of more than 680 million vulnerabilities out of which 72 million vulnerabilities are critical, generated by 80 million scans during 2008.


The lifespan of most, if not all vulnerabilities, is unlimited.

Laws of Vulnerabilities 2.0 declarations

The Laws derived from this research are:

1. Half-Life - The half-life of critical vulnerabilities remained at 30 days across all industries. Comparing individual industries, the Service industry has the shortest half-life of 21 days, Finance ranked second with 23 days, Retail ranked third with 24 days and Manufacturing ranked last with a vulnerability half-life of 51 days.

2. Prevalence - Sixty percent of the most prevalent and critical vulnerabilities are being replaced by new vulnerabilities on an annual basis. This number has increased from the 2004 research where it was 50 percent. The top stragglers according to Laws 2.0 are MSFT Office, Windows 2003 SP2, Adobe Acrobat and Sun Java Plug-in.

3. Persistence - The Laws 2.0 declared that the lifespan of most, if not all vulnerabilities is unlimited and a large percentage of vulnerabilities are never fully fixed. This law was illustrated with data samples from MS08-001, MS08-007, MS08-015 and MS08-021.

4. Exploitation - Eighty percent of vulnerability exploits are now available within single digit days after the vulnerability’s public release. In 2008, Qualys Labs logged 56 vulnerabilities with zero-day exploits, including the RPC vulnerability that produced Conficker. In 2009, the first vulnerability released by Microsoft, MS09-001 had an exploit available within seven days. Microsoft’s April Patch Tuesday included known exploits for over 47 percent of the published vulnerabilities. This law had the most drastic change from the Laws 1.0 in 2004, which provided a comfortable 60 days as guidance.

Wolfgang Kandek, CTO of Qualys, and author of the Laws of Vulnerabilities 2.0 said:
Security is getting more difficult with attackers becoming extremely sophisticated and the window of exploitation shrinking to days for most critical vulnerabilities. Our goal with this research is to help organizations across different industries to understand the broader trends, the potential for damage and the priority of vulnerabilities, so they can make more effective and more immediate decisions to protect their networks. With research like that outlined in the Laws of Vulnerabilities 2.0, we can provide the industry with a statistical look at threat trends in real-time.
The Laws is derived from an anonymous dataset that is non traceable to any given customer, IP address or network. The data is collected through the QualysGuard scanning infrastructure that performs over 200 million IP audits annually. Simple counters are kept during scanning of customers’ networks and the collected data is then summarized and logged daily for this research analysis.





Spotlight

Infographic: 25 years of the firewall

Posted on 24 July 2014.  |  The firewall turned 25, and McAfee is celebrating with an infographic that creatively depicts its lifetime. If you take a moment to scan the infographic, you’ll notice the firewall's introduction and evolution coincide with certain security events.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Jul 25th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //