According to a study done by the Computer Security Institute and the FBI,
- 97% of interviewed companies and administrations were using antivirus
- 98% have a network firewall
- Yet, 15% have reported suffering from network intrusions
Almost every business and government is going to have ports 80/443 through their firewall, so that is where the bad guys are attacking us. We need to change the focus of our thinking from Network & Operating System Security to Application Security. Attackers are still using Buffer Overflows, SQL Injection and Cross Site Scripting attacks successfully and how many years have we known about these types of attacks as in IT, yet we still seem defenseless against them.
In just about every IT security conference I speak, most of the IT people in the room cannot explain what XSS or SQL Injection attack is or how to prevent such an attack. We tend to think that since we have up-to-date antivirus, perimeter network firewalls, IDS and patched servers that we are fairly safe, and that's simply not true especially if our applications are not secure. Our own applications if not coded securely nor published with a secure application firewall such as Microsoft Intelligent Application Gateway to protect the applications; the apps themselves become the portals into our internal data and the technology albatross around our necks as it were that give the bad guys money in their pockets and our agencies front page stories in the newspapers.
This week SAFECode.org released an excellent application security guide entitled "Fundamental Practices for Secure Software Development" which includes updated information from Michael Howard, a simple security guy from Microsoft and 15 other co-authors on how to write applications securely. This is an excellent security guide not just for developers, but also for IT Management to review and understand at least the basic concepts to enable and empower our developers with the security training and tools needed to ensure that our applications are strategic assets for our businesses and governments. Developers are usually great at what they code, but many do not necessarily understand security unless it's been part of their training curriculum or job functions, so IT as a whole needs to ensure we have security awareness, training, and tools for testing security for our developers as we do for our network engineers and firewall administrators.
The guide covers many aspects of Application Development that I did not address in my previous post Secure Applications - The Microsoft Way and is so well written and comprehensive, that I will not blog in detail on its contents here, but will instead encourage you to download it and read it for yourself and make sure you make this part of your security library: Fundamental Practices for Secure Software Development.
Great Job SAFECode!!!