In the business world, the general wisdom is to work smarter, not harder. Unfortunately, many IT security managers aren’t taking that advice these days. They continue to chase vulnerabilities and put out fires without really addressing the root of their problems—namely, insecure software.
Many managers blame software vendors for these issues, but the fact is that major vendors such as Microsoft and Oracle are seeing a decrease in the number and seriousness of vulnerabilities in their software. However, the number of overall application vulnerabilities and attacks worldwide continues to multiply.
How is that possible? As operating system vendors have eliminated many of their security problems, most hackers have figured out that enterprises don’t specialize in writing secure applications. So they’ve started to pound away at the application layer, including home-grown Web apps.
“We’re seeing hackers trend away from compromising Windows and moving to lower-hanging fruit,” says Michael Howard, principal security program manager at Microsoft and author of The Security Development Lifecycle and Writing Secure Code. “Unfortunately, there’s plenty of that.”
IBM Internet Security Systems X-Force’s 2008 Mid-Year Trend Statistics report illustrates this. X-Force researchers found that Web application vulnerabilities made up 51 percent of all reported vulnerabilities this year. “Over the past few years, the focus of endpoint exploitation has dramatically shifted from the operating system to the Web browser and multimedia applications,” the report stated.
Many security insiders believe that the only way organizations will be able to effectively meet the onslaught of attacks against Web and other home-spun applications is to bake security in from the get-go: implementing secure coding practices from the ground up.
This past June, the Web Application Security Consortium reported that after assessing a whopping 32,000 commercial Web sites, it found nearly 97 percent had a severe vulnerability. Many security experts believe that this problem is the result of a rampant lack of education in the typical IT department’s developer ranks.
“We have 17 million programmers in the world, and I doubt 1 percent of them have had any kind of formal or informal education in secure software development,” says Jeremiah Grossman, CTO and founder of WhiteHat Security. “There is a whole mess of code being generated every day by those who don’t know how to write securely.”
Even at the university level, computer science students are earning diplomas without ever having learned about programming with security in mind, according to Microsoft’s Howard. “I think that’s a travesty,” he says. “I see very few schools adopting what I would consider basic programming skills. There is nothing that makes security special, and yet for some reason, it is treated as this special thing. In reality, it is just part of shipping software.”