Neil MacDonaldTake a look at this graph from the latest IBM ISS X-Force labs latest malware report and guess what it shows:
We are all familiar with the explosion in malware and variants that fundamentally challenges our signature-based protection model (like endpoint antivirus). It has a growth trajectory much like the one above.
Nope, that’s not it (that’s another depressing chart and another discussion for another day on the futility of AV).
I believe this chart is worse. It doesn’t show attacks, it shows real, disclosed vulnerabilities in Web applications (most of which are commercial offerings). There’s more bad news in the report:
- In 2008, 54.9% of all disclosed vulnerabilities were Web application vulnerabilities and were one of the primary factors in the overall growth of vulnerability disclosures during the year
- SQL injection attacks increased by 30x within the last six months
- 74% of Web application vulnerabilities disclosed in 2008 had no patch by year end
The OS platform isn’t as attractive a target as it once was. Why? Microsoft and the other OS vendors are getting better at producing more secure code and we are getting better at patching. More importantly, applications and information are a much more attractive target because (as bank robber Willie Sutton reportedly stated when asked why he robbed banks) “that’s where the money is”.
The bad guys are moving their attention up the stack. Applications and information are the next battleground. Most of us aren’t ready. Based on the data above, most of our software vendors aren’t ready either. It’s pretty simple. If we don’t proactively start efforts now to produce more secure applications and demand the same from our software providers, the bad guys will find the vulnerabilities for us.
If we continue with the status quo, we are toast.
Category: Application Security Tags: Application Security, application security testing tools
5 responses so far ↓
1 Mandeep Khera March 19, 2009 at 10:09 pm
Neil
These findings were also confirmed in our app security trends report. We found that 80% of all vulnerabilities related to Web applications. And we are finding that 80 to 90% of Web applications are vulnerable.
http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q3-Q4-2008.pdf
2 More, More and More » Blog Archive » Beware New Malware in Web Apps March 22, 2009 at 5:44 pm
[...] Are Toast.” So warns Gartner Blog Network member Neil MacDonald in a recent post about the current trend in malware. Rather than attacking operating systems, cybercrooks are [...]
3 Security Dark Ages March 25, 2009 at 11:38 am
[...] Gartner analyst Neil MacDonald blogs about the malware hordes here, and we aren’t finding a way to handle the growing .dat and IPS signature lists other than by [...]
4 Beware New Malware in Web Apps | Computer Security April 12, 2009 at 4:27 pm
[...] Are Toast.” So warns Gartner Blog Network member Neil MacDonald in a recent post about the current trend in malware. Rather than attacking operating systems, cybercrooks are [...]
5 The Open Internet’s Growing Security Problem — Part V in a Series « May 27, 2009 at 10:25 am
[...] Are Toast.” So warns Gartner Blog Network member Neil MacDonald in a recent post about the current trend in malware. Rather than attacking operating systems, cybercrooks are [...]