Tuesday, December 30th, 2008
Jeremiah Grossman, our number one Web security chap, has some interesting words as we jump into 2009:
It’s unanimous. Web application security is the #1 avenue of attack according to basically every industry data security report available (IBM, Websense, Sophos, MessageLabs, Cisco, APWG, MITRE, Symantec, Trend Micro, SecureWorks, ScanSafe, IC3). This is in addition to reports specifically focusing on custom Web application vulnerabilities (WhiteHat Security, WASC, Accunetix). SQL Injection and Cross-Site Scripting are routinely cited as the biggest issues, the ones we can’t apply patches to defend against. Perhaps what we’ve learned in 2008, as pointed out by Gunnar Peterson and Gary McGraw, is we’re spending on the wrong problem. Roughly $150MM in software security products & services versus the lopsided billions annually on network security. 2009 will give us another opportunity to make a difference.
From the mountain of statistics available I’ve saved several interesting quotes to reference in 2009.
He goes on to use quotes from various sources to tell the tale. It appears that most of the attacks are there to put something on your machine. With business models where the malware doesn’t need to popup and try to sell you something, but rather just use you CPU as part of a botnet. The fight will continue in 2009!
Posted by Dion Almaer at 5:18 am