SANS Institute Warns of Attack Shift

JamesAlfaro writes "SANS warned of the switch to attacks on applications and network devices in its annual publication of the Top 20 vulnerabilities on Tuesday. The annual SANS Top 20 highlights holes in software programs that are considered the most serious for security professionals. Microsoft shares the spotlight this year with Symantec Corp., Cisco Systems Inc., Oracle Corp. and others, after a year in which warnings about vulnerabilities in antivirus and computer backup software and the surprise publication of information on a hole in Cisco Systems' IOS (Internetwork Operating System) made headlines."

Interesting article, but...

[someone1234]

What about IE? Is it 'internet' or 'application'? Ie. (not pun) does it belong to the former or the latter group. You can hear a new ActiveX or Javascript vulnerability in IE every month. And holes in Oracle are old news too. So, i don't see the 'big shift'. I expect some shift towards Firefox exploits though (as contrary to belief, it crashes too). As soon as it reaches a critical mass of users so it 'worths bothering with'.

Coding practices

[Dekortage]

From the article: "You could be the most secure operation in the world, but if you have applications that were developed using bad coding practices, you're open to exposure," said Braunstein.

While this is true, it is also possible that software developed with good coding practices can still have vulnerabilities -- because some things you just can't predict or determine. All you need to do is overlook one itty bitty thing and it becomes a weak link, but I still wouldn't call it "bad coding practices".

Hey! The sky is falling! The sky is falling!

[yagu]

I kind of see this ongoing "reporting" on internet security much like the Global Warming issue. There's lots of coverage, lots of angst, but it doesn't seem to generate any or enough action to proactively prevent eventual disaster (not making any endorsement or criticism about the Global Warming debate, btw).

There isn't a day that goes by where there isn't yet another major publication with yet another major story about yet another major security glitch with yet another major application from yet another major vendor. Frustrating.

In comparison and contrast to the GW issue, however, I think it's empirically clear the threat is real and eventually there will be (but I hope not) some catastrophic event with the internet. Yet the IT world strolls along day to day, without much really actively happening to prevent serious down-the-road problems. I attribute that partially to:

• Microsoft and their global domination of IT and their abysmal track record around security. Microsoft has proclaimed loudly their ongoing dedication to improving and eventually fixing their security flaws but there is little to show for their efforts. Microsoft, however, has not suffered greatly from this.
• The complementary side, or the "consumers". I don't blame them as they see the world typically today through Microsoft colored glasses. They don't know of many alternatives, they don't know much about alternatives of which they're aware, and they don't much care because, "Nobody ever got fired for choosing Microsoft." (Remember when that was IBM?)

No solutions here -- keep nudging clients, friends, consumers to try alternative potentially "better" IT solutions, maybe it WILL get better before a major catastrophe... sigh.

Get the actual report here

[hal9000(jr)]

SANS Top 20, November 22, 2005 is here.

This is the first year that they are pulling out specifically application and network devices/software. However, to anyone who reads Bugtraq, Full Disclosure, or VulnWatch, this is incredibly old news.

I suspect that the new attention is partly due to marketing and partly due to better tracking facilities by ISC.

Re:Symantec

[someone1234]

That must be embarrassing for a company that sells security products themselves.

No, that must be profitable.