Slashdot Mirror

← Back to Stories (view on slashdot.org)

SANS Institute Warns of Attack Shift

Posted by Zonk on from the new-targets dept.

JamesAlfaro writes "SANS warned of the switch to attacks on applications and network devices in its annual publication of the Top 20 vulnerabilities on Tuesday. The annual SANS Top 20 highlights holes in software programs that are considered the most serious for security professionals. Microsoft shares the spotlight this year with Symantec Corp., Cisco Systems Inc., Oracle Corp. and others, after a year in which warnings about vulnerabilities in antivirus and computer backup software and the surprise publication of information on a hole in Cisco Systems' IOS (Internetwork Operating System) made headlines."

4 of 80 comments (clear)

  1. Interesting article, but... by someone1234 · · Score: 4, Insightful

    What about IE? Is it 'internet' or 'application'? Ie. (not pun) does it belong to the former or the latter group. You can hear a new ActiveX or Javascript vulnerability in IE every month. And holes in Oracle are old news too. So, i don't see the 'big shift'. I expect some shift towards Firefox exploits though (as contrary to belief, it crashes too). As soon as it reaches a critical mass of users so it 'worths bothering with'.

    --
    Patents Drive Free Software as Hurricanes Drive Construction Industry
  2. Coding practices by Dekortage · · Score: 4, Insightful

    From the article: "You could be the most secure operation in the world, but if you have applications that were developed using bad coding practices, you're open to exposure," said Braunstein.

    While this is true, it is also possible that software developed with good coding practices can still have vulnerabilities -- because some things you just can't predict or determine. All you need to do is overlook one itty bitty thing and it becomes a weak link, but I still wouldn't call it "bad coding practices".

    --
    $nice = $webHosting + $domainNames + $sslCerts
  3. Get the actual report here by hal9000(jr) · · Score: 4, Insightful

    SANS Top 20, November 22, 2005 is here.

    This is the first year that they are pulling out specifically application and network devices/software. However, to anyone who reads Bugtraq, Full Disclosure, or VulnWatch, this is incredibly old news.

    I suspect that the new attention is partly due to marketing and partly due to better tracking facilities by ISC.

  4. Re:Symantec by someone1234 · · Score: 4, Insightful
    That must be embarrassing for a company that sells security products themselves.

    No, that must be profitable.

    --
    Patents Drive Free Software as Hurricanes Drive Construction Industry