Search

See Resources

Qualys CTO Gerhard Eschelbeck Unveils Laws of Vulnerabilities at Black Hat Briefings

Research of the Largest Base of Real-World Vulnerability Data Reveals Half-Life, Prevalence, Persistence, and Exploitation Trends

Black Hat, Las Vegas, NV — July 30, 2003 — Gerhard Eschelbeck, CTO of Qualys™, Inc., the market leader of on-demand security audits and vulnerability management, today unveiled Laws of Vulnerabilities derived from the industry's largest vulnerability dataset. The Laws reveal vulnerability half-life, prevalence, persistence, and exploitation trends. These trends were drawn from statistical analysis of more than 1.24 million vulnerabilities collected by 1.5 million scans during an 18 month period.

The laws derived from this research are:
  1. Half-Life: The half-life of critical vulnerabilities is 30 days and doubles with lowering degrees of severity
  2. Prevalence: 50% of the most prevalent and critical vulnerabilities are being replaced by new vulnerabilities on an annual basis
  3. Persistence: The lifespan of some vulnerabilities is unlimited
  4. Exploitation: 80% of vulnerability exploits are available within 60 days after the vulnerability release


The Laws of Vulnerabilities were discussed today at the Black Hat Briefings by apanel of industry experts, including Mary Ann Davidson, Chief Security Officer of Oracle; Philip Zimmermann, Creator of Pretty Good Privacy (PGP); Black Hat Founder Jeff Moss; Simple Nomad, Founder of NMRC; JD Glaser, President & CEO of NT OBJECTives, Inc.; and Gerhard. Eschelbeck, CTO of Qualys. The panel was moderated by well-known Black Hat participant, Richard Thieme.

"The security industry is flooded with constant, sometimes daily, warnings of new vulnerabilities, and they vary drastically in their degree of potential damage," said Gerhard Eschelbeck, Qualys CTO & Vice President of Engineering, and author of the Laws of Vulnerabilities. "Our job is to help organizations understand the broader trends, the potential for damage and the priority of vulnerabilities, so they can make more effective and more immediate decisions to protect their networks. With research like this, we can provide the industry with a statistical look at network threat trends in real-time."

About Qualys

With more than 2,000 subscribers ranging from small businesses to multinational corporations, Qualys has become the leader in on demand vulnerability management and policy compliance. The company allows security managers to strengthen the security of their networks effectively, conduct automated security audits and ensure compliance with internal policies and external regulations. Qualys' on demand technology offers customers significant economic advantages, requiring no capital outlay or infrastructure to deploy and manage. Its distributed scanning capabilities and unprecedented scalability make it ideal for large, distributed organisations. Hundreds of large companies have deployed Qualys on a global scale, including AXA, DuPont, Hershey Foods, ICI Ltd, Novartis, Sodexho, Standard Chartered Bank and many others. Qualys is headquartered in Redwood City, California, with European offices in France, Germany and the U.K., and Asian representatives in Japan, Singapore, Australia, Korea and the Republic of China. For more information, please visit www.qualys.com.

Qualys, the Qualys logo and QualysGuard are proprietary trademarks of Qualys, Inc. All other products or names may be trademarks of their respective companies.

For media inquiries or to find the appropriate spokesperson

Contact: Megan Lamb
Merritt Group
703-390-1535

For all other matters

Contact: pr@qualys.com

Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Company
Free Trial & Tools
Popular Topics