My friend and colleague Jim Reavis contributes the following report on his recent visit to the Black Hat Briefings. Everything below is Jim’s work:

* * *

The Black Hat Briefings in Las Vegas is one of those security conferences where the piercings and tattoos coexist freely with the suits. This coexistence does not imply unanimity, and this was evident at the liveliest session I attended, entitled “The Law of Vulnerabilities.” The contentious debate over software bugs was very educational in illuminating the differences of opinion over software quality and the responsibilities of those who build it.

The Law of Vulnerabilities is the result of a research project conducted by Qualys, a provider of vulnerability assessment products. It is an attempt to identify statistically significant patterns in real-world security vulnerabilities and their corresponding exploits. In theory, identifying these trends can help us understand the window of exposure that is created by vulnerabilities and quantify the associated risk to our computer networks.

The data used for this study came from vulnerability scans conducted by Qualys and was presented by CTO Gerhard Eschelbeck. The findings were mined from 1.5 million scans, 1.2 million critical vulnerabilities and 2,041 unique vulnerabilities.

According to Eschelbeck, the half-life of a critical vulnerability is 30 days, meaning that from the time a major bug is announced, it takes a month for half of the systems with that vulnerability to get patched. Another finding stated that when a vulnerability is released, exploits are “in the wild” within 60 days of the release date. In terms of prevalence, 50% of the most popular vulnerabilities change on an annual basis, and some vulnerabilities have been shown to have an unlimited lifespan at this point.

Are these laws immutable? Probably not. Caleb Sima, CTO of SPI Dynamics, an application security software company, attended the session and found the findings interesting. However, he says the scope of the research probably skewed the results.

“This is a fairly small set of vulnerability scan data, and by limiting the data to Qualys customers you have a bias in favor of security-conscious organizations. My feeling is that a larger and more randomized set of data would show that the real situation is even worse. Most companies will patch vulnerabilities more slowly, increasing the vulnerability half-life,” Sima said. “We also don’t know the breakdown between internal and external IP addresses scanned, which is important because most people have a different standard for how quickly they fix problems. I would also like to see how the results compare between large enterprises and small companies, as well as a breakdown between different system types.”

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.