Vulnerability tallies surged in 2006 | The Register

[list-procurare at secureconsulting.net (Benjamin Tomhave)]

This is completely unsurprising.  Apparently nobody told the agile dev
community that they still need to follow all the secure coding practices
preached at the traditional dev folks for eons.  XSS, redirects, and SQL
injection attacks are not revolutionary, are not all that interesting, and
are so common-place that it makes one wonder where these developers have
been the last 5-10 years.
 
Solution to date: throw out traditional design review, move to agile
security testing.  Why?  Because there seems rarely to be a design to
review, and certainly no time to do it in.  Overall, it's important that
agile apps be built on an underlying publishing framework so that inherited
vulns can be found and fixed across the board by focusing on a single
platform.
 
Next challenge: new year, new technology fads.  Web 2.0 is another code word
for "that's so last year".  Time to play catch-up, and January isn't over
yet! *sigh*  Oh, and speaking of Web 2.0, who's protecting the customer and
their data?  Better yet, who owns which data?  With mashups being the buzz
word du jour, you may think your data is on SiteA, when in fact it's spread
across SiteB, SiteC, and SiteD.  Wheee.
 
One bit of good news: agile dev has often meant, in my experience, rapid
resolution of discovered vulns.  Since you don't have the full SDLC (or
comparable) process to follow, or even a formalized patch mgmt process, it's
often just a matter of finding bugs (through targeted "hyper-testing" -
think flash-bang), sending them to the devies, waiting 10-30 minutes, and
watching the vuln disappear like magic.  Am curious how change mgmt works on
that, though... ;)
 
cheers,
 
-ben

---
Benjamin Tomhave, CISSP, NSA-IAM, NSA-IEM
falcon at secureconsulting.net
Web: http://falcon.secureconsulting.net/
LI: http://www.linkedin.com/pub/0/622/964
Blog: http://www.secureconsulting.net/

"We must scrupulously guard the civil rights and civil liberties of all
citizens, whatever their background. We must remember that any oppression,
any injustice, any hatred is a wedge designed to attack our civilization."
-President Franklin Delano Roosevelt


 


  _____  

From: sc-l-bounces at securecoding.org [mailto:sc-l-bounces at securecoding.org]
On Behalf Of Kenneth Van Wyk
Sent: Monday, January 22, 2007 1:24 PM
To: Secure Coding
Subject: [SC-L] Vulnerability tallies surged in 2006 | The Register


FYI, CERT/CC reported 8064 software vulnerabilities in 2006, for a 35%
increase over 2005.

See http://www.theregister.co.uk/2007/01/21/2006_vulns_tally/ 

The article further states, "The greatest factor in the skyrocketing number
of vulnerabilities is that certain types of flaws in community and
commercial Web applications have become much easier to find, said Art
Manion, vulnerability team lead for the CERT Coordination Center. 

'The best we can figure, most of the growth is due to fairly
easy-to-discover vulnerabilities in Web applications," Manion said. "They
are easy to find, easy to create, and easy to deploy.'"

Cheers,

Ken

-----
Kenneth R. van Wyk
SC-L Moderator
KRvW Associates, LLC
http://www.KRvW.com





-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20070122/ee5be3b6/attachment-0001.html