Here are some scary numbers from the latest Symantec Internet Security Threat Report (Trends for July-December 2006, published in March 2007):
- Symantec documented 2,526 vulnerabilities, 73 percent of which the company classified as high or medium severity.
- 66 percent of the vulnerabilities affected Web applications.
- 79 percent of the vulnerabilities were considered to be easily exploitable.
- 77 percent of the easily exploitable vulnerabilities affected Web applications; 7 percent affected servers.
- 94 percent of the easily exploitable vulnerabilities were remotely exploitable.
The Symantec data also showed that 56 percent of exploit code was released less than a week after a vulnerability was published, but enterprise vendors took an average of 47 days to release patches for vulnerabilities. You can read the Internet Security Threat Report at http://www.symantec.com/threatreport.
Why are there so many bugs in application code? Michael Sutton, security evangelist at SPI Dynamics, recently told me, "We've never asked programmers to develop secure code—we've asked them for features and to deliver code on time. Now we're changing that, and it's a tall order." SPI Dynamics is working with The SANS Institute on a recently announced SANS initiative to develop secure coding assessment and certification exams that developers can take to gain Global Information Assurance Certification (GIAC) Secure Software Professional (GSSP) status or simply to find out where they might have holes in their knowledge or skills.
The four exams cover C/C++, Java/Java 2 Enterprise Edition (J2EE), Perl/PHP, and .NET/Active Server Pages (ASP) and are designed to measure a programmer's expertise in finding and correcting problems in code that could lead to security vulnerabilities. Developers will be able to take the exams in a proctored setting (typically at a university or community college) to receive the GSSP designation or online to test their skills unofficially. Large companies such as Symantec, Juniper Networks, Siemens, and Tata Consultancy Services have helped devise the tests and will use them to train and test their developers. You can find out more about the exams at http://www.sans-ssi.org/.
With these large companies and their teams of programmers on board to learn secure-programming practices, we can hope that we'll soon see a new era of more secure applications. But that doesn't mean vigilance isn't still in order for security administrators. Patching applications and hardening servers will probably always be on your list of things to do. To help you identify and fix potential problems with PHP in particular, check out these recent Security UPDATE email newsletter columns, which point to resources for securing PHP: