The 80/20 of Managing Software Risk

I was in a meeting with a large group of security professional today talking about SDL, reducing vulnerabilities, metrics, and so on - my normal topics - and we got into a really interesting discussion about which areas of focus can get the best practical results for operational IT security.

The discussion focused around this question - what percentage of malware infections happen due to:

* Vulns without patches available ? (aka new vulns)
* Vulns with patches available, but not applied (unpatched vulns)?
* Some other vector - mis-configuration, social engineering, etc ?

Anecdotally - let me emphasize that - anecdotally, in our discussion we thought the breakdown was something like this:

* new vulns - less than 10%
* vulns with patches not applied - 20-30%
* other vector (misconfiguration, social engineering, etc) - 60-70%