How often do sysadmins patch their systems?

Censys.io datasets provide a rich realm to analyze the Internet and find warts and pimples that normally one cannot see.  I recently pulled down the IPv4 dataset for March 2018 and wanted to see how often people patch their systems.  I focused on nginx – which is an open source HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server (Swiss army knife for geeks).  After Apache, nginx is the most popular web server on the Internet.

So it was interesting to observe that no one had migrated yet to 1.13 and most sites were staying with various versions of 1.12.  Some were staying with various 1.10 versions from as far back as May 2016.  My analysis of the data shows that people upgrade their system about once every 6 months and then leave it alone.  Another take-away is that sysadmins stay with the version they are familiar with.  Nginx mainline version is 1.13.  Previous legacy “trains” are 1.12, 1.10, 1.8 and 1.6.  Rather than upgrade to the 1.13 train, sysadmins are fairly conservative types and will just upgrade to the latest version in their “train”.    As more and more flavors are made available in a package like nginx (and the same holds true for all open source tools), with different feature sets and slightly different functionality, the sysadmin just stops upgrading and stays with the flavor they have grown accustomed to and just patches that “flavor” to the latest one available.

For those that wish to delve deeper into Censys, they have a quick “report builder” which allows one to build customized reports like the one linked here (80.http.get.headers.server).