As an on demand vulnerability management solution, Qualys® has the unique ability to collect and analyze aggregate vulnerability data from thousands of real world networks, providing its customers information unavailable anywhere else.
Based on this statistically representative sample of Internet vulnerabilities, Qualys has presented and published leading vulnerability research including the well-known "Laws of Vulnerabilities". The 2005 update of the "Laws of Vulnerabilities" research was drawn from a statistical analysis of nearly 21 million critical vulnerabilities, collected from 32 million live network scans.
THE LAWS DERIVED FROM THIS RESEARCH
|
Half-Life: The half-life identifies the length of time it takes users to patch half of their systems, reducing their window of exposure. In the last year, the half-life of critical vulnerabilities for external systems has been reduced from 21 days to 19 days; and from 62 days to 48 days for internal systems. Vulnerabilities released on a predefined schedule show an 18 percent increase in patch response. |
|
|
Prevalence: 50 percent of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities on an annual basis. |
|
|
Persistence: Four percent of critical vulnerabilities remain persistent and their lifespan is unlimited. |
|
|
Focus: 90 percent of vulnerability exposure is caused by 10 percent of critical vulnerabilities. |
|
|
Window of Exposure: The time-to-exploit cycle is shrinking faster than the remediation cycle. 80 percent of exploits are available within the first half-life period of critical vulnerabilities. |
|
|
Exploitation: Automated attacks create 85 percent of their damage within the first fifteen days from the outbreak and have an unlimited life time. |
