In a previous post, I discussed IBM’s latest X-Force malware report that showed a significant increase in disclosed web application vulnerabilities (one of those curves that is heading geometrically upwards).
Here’s similarly sobering chart from the latest Symantec Internet Threat Report:
In 2008, 63 percent of identified vulnerabilities affected Web applications. This is an increase over 2007, when 59 percent of identified vulnerabilities affected Web applications.
It is clear attackers are moving up the stack to applications, to users and to the data they hold. The OS platform isn’t as attractive a target as it once was. Why? Microsoft and the other OS vendors are getting better at producing more secure code and we are getting better at patching. More importantly, applications and information are a much more attractive target because (as bank robber Willie Sutton reportedly stated when asked why he robbed banks) “that’s where the money is”.
We must start changing the way we build (and buy) applications.
Application security testing must become a mandatory part of our development processes and a mandatory part of our evaluation and procurement processes for externally developed applications.
Years ago, Ralph Nader forced changes in the automobile industry with his book titled “Unsafe at Any Speed: The Designed-In Dangers of the American Automobile”. From Wikipedia:
…is a book detailing resistance by car manufacturers to the introduction of safety features, like seat belts, and their general reluctance to spend money on improving safety.
Sound familiar? It’s time the IT industry was forced to grow up as well.