Glaswegian

Patching alone will never solve the long-running headache of insecure software, the author of the influential Laws of Vulnerability 2.0 report has said.

A week after releasing the report [PDF] at the RSA Show, author Wolfgang Kandek of Qualys admitted that the pace of improvement had slowed considerably every year the survey had been carried out since the inaugural report in 2004.

In five years, the average time taken by companies to patch vulnerabilities had decreased by only one day, from 60 days to 59 days, at a time when the number of flaws and the speed at which they are being exploited has accelerated from weeks to, in some cases, days.

During the same period, the number of IP scanned on an anonymous basis by the company from its customer base had increased from 3 million to a statistically significant 80 million, with the number of vulnerabilities uncovered rocketing from 3 million to 680 million. Of the latter, 72 million were rated by Qualys as being of ‘critical' severity.

"The patching cycle isn't really accelerating, but the attackers are getting much faster," he said. "The good thing is that more people are looking [for vulnerabilities], the bad thing is that they [the attackers] have got faster."

According to Kandek, the number of machines that are never patched had also remained broadly static at around 10 percent.

Taken together, the statistics suggested that a new solution would be needed in order to make further improvement with the only likely candidate on the horizon being cloud computing.


http://www.techworld.com/security/ne...&NewsID=115249