Secure Coding mailing list archives
Vulnerability tallies surged in 2006 | The Register
From: list-procurare at secureconsulting.net (Benjamin Tomhave)
Date: Mon, 22 Jan 2007 20:47:10 -0500
This is completely unsurprising. Apparently nobody told the agile dev community that they still need to follow all the secure coding practices preached at the traditional dev folks for eons. XSS, redirects, and SQL injection attacks are not revolutionary, are not all that interesting, and are so common-place that it makes one wonder where these developers have been the last 5-10 years. Solution to date: throw out traditional design review, move to agile security testing. Why? Because there seems rarely to be a design to review, and certainly no time to do it in. Overall, it's important that agile apps be built on an underlying publishing framework so that inherited vulns can be found and fixed across the board by focusing on a single platform. Next challenge: new year, new technology fads. Web 2.0 is another code word for "that's so last year". Time to play catch-up, and January isn't over yet! *sigh* Oh, and speaking of Web 2.0, who's protecting the customer and their data? Better yet, who owns which data? With mashups being the buzz word du jour, you may think your data is on SiteA, when in fact it's spread across SiteB, SiteC, and SiteD. Wheee. One bit of good news: agile dev has often meant, in my experience, rapid resolution of discovered vulns. Since you don't have the full SDLC (or comparable) process to follow, or even a formalized patch mgmt process, it's often just a matter of finding bugs (through targeted "hyper-testing" - think flash-bang), sending them to the devies, waiting 10-30 minutes, and watching the vuln disappear like magic. Am curious how change mgmt works on that, though... ;) cheers, -ben --- Benjamin Tomhave, CISSP, NSA-IAM, NSA-IEM falcon at secureconsulting.net Web: http://falcon.secureconsulting.net/ LI: http://www.linkedin.com/pub/0/622/964 Blog: http://www.secureconsulting.net/ "We must scrupulously guard the civil rights and civil liberties of all citizens, whatever their background. We must remember that any oppression, any injustice, any hatred is a wedge designed to attack our civilization." -President Franklin Delano Roosevelt _____ From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org] On Behalf Of Kenneth Van Wyk Sent: Monday, January 22, 2007 1:24 PM To: Secure Coding Subject: [SC-L] Vulnerability tallies surged in 2006 | The Register FYI, CERT/CC reported 8064 software vulnerabilities in 2006, for a 35% increase over 2005. See http://www.theregister.co.uk/2007/01/21/2006_vulns_tally/ The article further states, "The greatest factor in the skyrocketing number of vulnerabilities is that certain types of flaws in community and commercial Web applications have become much easier to find, said Art Manion, vulnerability team lead for the CERT Coordination Center. 'The best we can figure, most of the growth is due to fairly easy-to-discover vulnerabilities in Web applications," Manion said. "They are easy to find, easy to create, and easy to deploy.'" Cheers, Ken ----- Kenneth R. van Wyk SC-L Moderator KRvW Associates, LLC http://www.KRvW.com -------------- next part -------------- An HTML attachment was scrubbed... URL: http://krvw.com/pipermail/sc-l/attachments/20070122/ee5be3b6/attachment-0001.html
Current thread:
- Vulnerability tallies surged in 2006 | The Register Kenneth Van Wyk (Jan 22)
- Vulnerability tallies surged in 2006 | The Register Benjamin Tomhave (Jan 22)
- Vulnerability tallies surged in 2006 | The Register Wall, Kevin (Jan 22)
- Vulnerability tallies surged in 2006 | The Register pete werner (Jan 23)
- Vulnerability tallies surged in 2006 | The Register Dinis Cruz (Jan 24)
- Vulnerability tallies surged in 2006 | The Register Benjamin Tomhave (Jan 22)