Patching alone will never solve the long-running headache of insecure software, the author of the influential Laws of Vulnerability 2.0 report has said.

A week after releasing the report [PDF] at the RSA Show, author Wolfgang Kandek of Qualys admitted that the pace of improvement had slowed considerably every year the survey had been carried out since the inaugural report in 2004.

In five years, the average time taken by companies to patch vulnerabilities had decreased by only one day, from 60 days to 59 days, at a time when the number of flaws and the speed at which they are being exploited has accelerated from weeks to, in some cases, days.

During the same period, the number of IP scanned on an anonymous basis by the company from its customer base had increased from 3 million to a statistically significant 80 million, with the number of vulnerabilities uncovered rocketing from 3 million to 680 million. Of the latter, 72 million were rated by Qualys as being of ‘critical' severity.

"The patching cycle isn't really accelerating, but the attackers are getting much faster," he said. "The good thing is that more people are looking [for vulnerabilities], the bad thing is that they [the attackers] have got faster."

According to Kandek, the number of machines that are never patched had also remained broadly static at around 10 percent.

Taken together, the statistics suggested that a new solution would be needed in order to make further improvement with the only likely candidate on the horizon being cloud computing.

"We believe that cloud security providers can be held to a higher standard in terms of security," said Kandek. "Cloud vendors can come in and do a much better job."

Unlike corporate admins for whom patching was a sometimes complex burden, in a cloud environment, patching applications would be more technically predictable - the small risk of ‘breaking' an application after patching it would be nearly removed, he said.

Kandek is undoubtedly correct in his observation - virtualise servers and even PCs and re-locate the uncertainty of patching to a locked down environment. But companies are still going to need new software technologies to allow them to continue to use mobile computers such as laptops and smartphones, and that could blunt the benefits of the cloud security model.

After starting life in 2004 under the authorship of former Qualys techie Gerhard Eschelbeck, the annual report has once again been given prominence by Qualys with its new author, Kandek. The Laws of Vulnerability 2.0, which analyses data for 2008, is available for download on the Qualys website.