• Stefan Frei



No end-user or organisation would contemplate leaving the front door to their home or office unlocked as their private property and confidential information could be exposed to theft. However, many are still leaving themselves at riskfrom another angle. By not addressing vulnerabilities (errors in software installed on end-points that can be exploited), these very same end-users and organisations are effectively leaving their ‘windows’ wide open as entry points for cybercriminals to compromise sensitive financial/employee/personal data. Indeed, everyone who uses the Internet – 31% of the Earth’s population – is a potential victim of cybercrime.

Analysing data from 2006 to 2011 reveals that the software industry is still unable to reduce the number of vulnerabilities in software. Comparing the average number of vulnerabilities affecting the products of the Top-20 vendors, it is clear that none of these vendors managed to reduce the number of vulnerabilities in their products. Identifying and remediating vulnerabilities in deployed products therefore remains a critical task for organisations and private users in order to manage the risks of security breaches and system compromise.

Focusing on the sheer number of vulnerabilities is just half of the story. The shifting dynamics of the threat landscape means that knowing what to patch – what programs cybercriminals are setting their sights on – and when, is just as critical. It is a common fallacy that exploits are mostly available for popular programs, such as Microsoft programs. In fact, there can be a significant gap between what an organisation patches vs. what a cybercriminal has the opportunity to, or chooses to attack. Importantly, this analysis reveals that programs with low market share are also at risk.