Not Enough Attention to Application Security
The application layer is often a more attractive target for attackers than lower levels of the app stack. Poorly coded apps make it easier to attack and it's easier to get to the data you want than going after other points of attack. SQL and HTML/scripting injection attacks can yield a large payoff for the effort. Best of all for attackers, it doesn't look like we're in a very good position to counter the problem.
William Jackson in Application Development Trends points out the dim outlook on application security:
A recent study of 200 businesses by Forrester commissioned by Veracode Inc. found that 62 percent had experienced a security breach in the last year because of vulnerabilities in critical software applications. Despite the size of the security hole this represents, only 13 percent of respondents said they knew the security quality of their critical applications, and only 34 percent had a comprehensive software development life cycle process integrating application security.
The Forrester results are in line with SANS work on the Top 25 Most Dangerous Programming Errors:
Shockingly, most of these errors are not well understood by programmers; their avoidance is not widely taught by computer science programs; and their presence is frequently not tested by organizations developing software for sale.
Application vulnerability scanning tools need to be used by more importantly we need to understand the nature of these vulnerabilities and incorporate procedures in our software development and maintenance methodologies for addressing them. This is less of a technical problem and more of an organizational problem.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
