Take a look at this graph from the latest IBM ISS X-Force labs latest malware report and guess what it shows:
We are all familiar with the explosion in malware and variants that fundamentally challenges our signature-based protection model (like endpoint antivirus). It has a growth trajectory much like the one above.
Nope, that’s not it (that’s another depressing chart and another discussion for another day on the futility of AV).
I believe this chart is worse. It doesn’t show attacks, it shows real, disclosed vulnerabilities in Web applications (most of which are commercial offerings). There’s more bad news in the report:
- In 2008, 54.9% of all disclosed vulnerabilities were Web application vulnerabilities and were one of the primary factors in the overall growth of vulnerability disclosures during the year
- SQL injection attacks increased by 30x within the last six months
- 74% of Web application vulnerabilities disclosed in 2008 had no patch by year end
The OS platform isn’t as attractive a target as it once was. Why? Microsoft and the other OS vendors are getting better at producing more secure code and we are getting better at patching. More importantly, applications and information are a much more attractive target because (as bank robber Willie Sutton reportedly stated when asked why he robbed banks) “that’s where the money is”.
The bad guys are moving their attention up the stack. Applications and information are the next battleground. Most of us aren’t ready. Based on the data above, most of our software vendors aren’t ready either. It’s pretty simple. If we don’t proactively start efforts now to produce more secure applications and demand the same from our software providers, the bad guys will find the vulnerabilities for us.
If we continue with the status quo, we are toast.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.