• United States



The 80/20 of Managing Software Risk

Sep 28, 20072 mins
Data and Information Security

I was in a meeting with a large group of security professional today talking about SDL, reducing vulnerabilities, metrics, and so on – my normal topics – and we got into a really interesting discussion about which areas of focus can get the best practical results for operational IT security.

The discussion focused around this question – what percentage of malware infections happen due to:

  • Vulns without patches available ? (aka new vulns)
  • Vulns with patches available, but not applied (unpatched vulns)?
  • Some other vector – mis-configuration, social engineering, etc ?

Anecdotally – let me emphasize that – anecdotally, in our discussion we thought the breakdown was something like this:

  • new vulns – less than 10%
  • vulns with patches not applied – 20-30%
  • other vector (misconfiguration, social engineering, etc) – 60-70%

Let me encourage you to use your own numbers if you don’t think that breakdown is right, as I don’t think it detracts from the discussion at all.  Let’s look at this graphically using the zone-h numbers:

So now, let’s think about what this means in terms of product vulnerabilities and products.  The bottom two bars are vulnerability, or software quality, related.  So, when I try to measure vendor progress on security quality or count vulnerabilities, success along those lines only affect the bottom two bars.  The remainder of managing security risk (55%) depends on other factors completely.


But, even without perfect products, look how much of the malware  problem can not be eliminated by improving security quality or reducing vulnerabilities.

This really emphasizes how important other security disciplines are to the goal of protecting computers from malware.  Security management and efforts to make users slightly more clueful jump out as to efforts that could have large impact on operational security.

So, while the importance of these disciplines is by no means a new insight, going through this exercise really puts into things into perspective (for me) with respect to practical security progress in the enterprise.

In the meantime, we should all encourage vendors to work towards those perfect software products to reduce the other two sections as well.

Jeff Jones is a 24-year security industry professional that has spent the last several years at Microsoft helping drive security and privacy progress as part of the Trustworthy Computing group. In this role, Jeff draws upon his security experience to work with enterprise CSOs and Microsoft's internal security teams to drive practical and measurable security improvements into Microsoft process and products. Prior to Microsoft, Jeff was the vice president of product management for security products at Network Associates where his responsibilities included PGP, Gauntlet and Cybercop products, and several improvements in the McAfee product line. These latest positions cap a career focused on security, managing risk, building custom firewalls and being involved in Darpa security research projects while part of Trusted Information Systems. Jeff is a frequent global speaker and writer on security topics ranging from the very technical to more high level, CxO-focused topics such as Security TCO and metrics. Jeff is also a contributor the Microsoft Security Blog ( and writes on a wide range of personal interests (e.g. books, poker, gaming) at