Skip to main content

Robin Müller, Julius Ruppert, Katharina Will, Lukas Wüsteney, Tobias Heer

Analyzing the Software Patch Discipline Across Different Industries and Countries


In view of recent cyberattacks and new regulatory requirements, companies in different industries and countries are forced to implement additional IT security measures. Nevertheless, a large number of services with vulnerable or outdated software can be found on the Internet. In this work, we investigate whether industry-specific differences exist in the maintenance and use of outdated Internet-facing software. For this purpose, we combine results from Internet-wide port scans with product and version information as well as information of companies listed at stock markets in different countries. We show that different industries have more or less up-to-date software for different services like remote access tools, databases, webservers and file servers. With this approach, we discovered surprising amounts of outdated and even unsupported software in use across many industries and countries.

This is a preview of subscription content, access via your institution.


  1. California Legislative Information: Bill Information. In: Assembly Bill No. 1906. 2018, url: billTextClient.xhtml?bill%5C_id=201720180AB1906, Stand: 11.11.2021.

  2. Dahlmanns, M.; Lohmöller, J.; Fink, I.B.; Pennekamp, J.; Wehrle, K.; Henze, M.: Easing the Conscience with OPC UA: An Internet-Wide Study on Insecure Deployments. In: IMC ’20: Proceedings of the ACM Internet Measurement Conference. S. 101–110, 2020.

  3. Durumeric, Z.: Fast Internet-Wide Scanning: A New Security Perspective, Diss., University of Michigan, 2017.

  4. European Union Agency for Cybersecurity: enisa. In: NIS Directive. 2021, url:, Stand: 11.11.2021.

  5. IP Ranges API, 2021, url: ranges, Stand: 11.11.2021.

  6. Morishita, S.; Hoizumi, T.; Ueno, W.; Tanabe, R.; Gañán, C.; van Eeten, M.J.; Yoshioka, K.; Matsumoto, T.: Detect Me If You... Oh Wait. An Internet-Wide View of Self-Revealing Honeypots. In: 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM). 2019.

  7. Müller, R.; Ruppert, J.; Will, K.; Wüsteney, L.; Heer, T.: HSES-Patchwatch Project Documentation, 2022, url: Stand: 19.01.2022.

  8. National Institute of Standards and Technology (NIST) – U.S. Department of Commerce: Common Platform Enumeration: Naming Specification Version 2.3, 2011, url: GOVPUB-C13-c213837a04c3bcc778ebfd420c6a3f2a/pdf/GOVPUB-C13c213837a04c3bcc778ebfd420c6a3f2a.pdf, Stand: 11.11.2021.

  9. Na, S.; Kim, T.; Kim, H.: Service Identification of Internet-Connected Devices Based on Common Platform Enumeration. In: Journal of Information Processing Systems. Bd. 14, S. 740–750, 2018.

    Google Scholar 

  10. North American Electric Reliability Corporation: NERC. In: CIP Standards. 2021, url: aspx, Stand: 11.11.2021.

  11. Office of the National Security Council: Thailand. In: National Cybersecurity Strategy 2017-2021. 2017, url: uploads/2018/08/strategyit60-64-1.pdf, Stand: 11.11.2021.

  12. pci Security Standards Council: pci. In: Document Library. 2021, url:, Stand: 11.11.2021.

  13. Wan, G.; Izhikevich, L.; Adrian, D.; Yoshioka, K.; Holz, R.; Rossow, C.; Durumeric, Z.: On the Origin of Scanning: The Impact of Location on Internet-Wide Scans. In: IMC ’20: Proceedings of the ACM Internet Measurement Conference. S. 662–679, 2020.

Download references

Author information

Authors and Affiliations


Corresponding author

Correspondence to Robin Müller.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Müller, R., Ruppert, J., Will, K. et al. Analyzing the Software Patch Discipline Across Different Industries and Countries. Datenschutz Datensich 46, 269–275 (2022).

Download citation

  • Published:

  • Issue Date:

  • DOI: