The first part of this report investigates the evolving threat of software portfolios typically found in organisations. Today, cybercriminals bypass traditional perimeter defences by means of the automated mass production of attack variants – thereby initiating an arms race with defenders. Security patches are found to be an effective means to escape the arms race as they remediate the root cause of compromise.

Quantifying the dynamics of critical programs in software portfolios of up to 5,000 programs over the last few years identifies an increasing gap of unmitigated risk if the patching strategy covers Microsoft products only. Timely patching of the software portfolio of any organisation is like chasing a continually moving target. A comparison of different patching strategies under the assumption of limited resources demonstrates that an intelligent patching strategy is an effective approach for reducing vulnerability risks: An 80% reduction in risk can be achieved by either patching the 12 most critical or the 37 most prevalent programs in a sample portfolio. Furthermore, for the majority of vulnerabilities there are patches available on the day of disclosure, which puts another perspective on the threat of 0-days.

The second section of this report presents global vulnerability data from the last five years and documents trends on a year-to-year basis as of June 2011. Comparing the data from the last two 12 month periods as of June 2011 as well as the extrapolated trend for 2011 indicates a slow decrease in the global number of vulnerabilities.