Gartner Blog Network


We Are Toast

by Neil MacDonald  |  March 16, 2009  |  5 Comments

Take a look at this graph from the latest IBM ISS X-Force labs latest malware report and guess what it shows:

image

We are all familiar with the explosion in malware and variants that fundamentally challenges our signature-based protection model (like endpoint antivirus). It has a growth trajectory much like the one above.

Nope, that’s not it (that’s another depressing chart and another discussion for another day on the futility of AV).

I believe this chart is worse. It doesn’t show attacks, it shows real, disclosed vulnerabilities in Web applications (most of which are commercial offerings). There’s more bad news in the report:

  • In 2008, 54.9% of all disclosed vulnerabilities were Web application vulnerabilities and were one of the primary factors in the overall growth of vulnerability disclosures during the year
  • SQL injection attacks increased by 30x within the last six months
  • 74% of Web application vulnerabilities disclosed in 2008 had no patch by year end

The OS platform isn’t as attractive a target as it once was. Why? Microsoft and the other OS vendors are getting better at producing more secure code and we are getting better at patching. More importantly, applications and information are a much more attractive target because (as bank robber Willie Sutton reportedly stated when asked why he robbed banks) “that’s where the money is”.

The bad guys are moving their attention up the stack. Applications and information are the next battleground. Most of us aren’t ready. Based on the data above, most of our software vendors aren’t ready either. It’s pretty simple. If we don’t proactively start efforts now to produce more secure applications and demand the same from our software providers, the bad guys will find the vulnerabilities for us.

If we continue with the status quo, we are toast.

Category: application-security  

Tags: application-security  application-security-testing-tools  


Thoughts on We Are Toast


  1. Neil

    These findings were also confirmed in our app security trends report. We found that 80% of all vulnerabilities related to Web applications. And we are finding that 80 to 90% of Web applications are vulnerable.

    http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q3-Q4-2008.pdf

  2. […] Are Toast.” So warns Gartner Blog Network member Neil MacDonald in a recent post about the current trend in malware. Rather than attacking operating systems, cybercrooks are […]

  3. […] Gartner analyst Neil MacDonald blogs about the malware hordes here, and we aren’t finding a way to handle the growing .dat and IPS signature lists other than by […]

  4. […] Are Toast.” So warns Gartner Blog Network member Neil MacDonald in a recent post about the current trend in malware. Rather than attacking operating systems, cybercrooks are […]

  5. […] Are Toast.” So warns Gartner Blog Network member Neil MacDonald in a recent post about the current trend in malware. Rather than attacking operating systems, cybercrooks are […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.