SANS Report Says Organizations Focusing On the Wrong Security Threats

yahoi writes "Companies around the world are leaving themselves wide open to Web- and client-side attacks, according to a new report released today by the SANS Institute that includes real attack data gathered from multiple sources. SANS found that most organizations are focusing their patching efforts and vulnerability scanning on the operating system, but they're missing the boat: 60 percent of the total number of attacks occur on Web applications, and many attacks are aimed at third-party applications such as Microsoft Office, and Adobe Flash and other tools. Exacerbating the problem, they're taking twice as long to patch Microsoft Office and other applications than to patch their operating systems."

OpenBSD vs Linux

[chill]

I had this discussion -- and yes, it was civil -- on deadly.org a while ago. Pointing out that web servers were like the circus coming to town. Setting up Linux was like using strong wooden poles to hold the tent, and using OpenBSD was like using steel poles.

Neither really mattered because people who wanted to cause trouble would simply be slitting the fabric (the apps) or cutting the ropes. Thus, a lot of the nit picky little stuff that OpenBSD fanboys focus on vs Linux doesn't really matter. The issue isn't Linux or OpenBSD or Windows, it is now mostly .ASP, .PHP and other homebrew web code where people didn't sanitize input, do bounds checking, etc.

Re:The problem is in job responsibility

[PlusFiveTroll]

For commonly used applications that make the CSV lists I find the Personal Software Inspector an excellent tool.

http://secunia.com/vulnerability_scanning/personal/

Amazing how many userland applications out there have some kind of exploit against them : /