Perspective: The Need for Secure Applications
Here are some scary numbers from the latest Symantec Internet Security Threat Report (Trends for July-December 2006, published in March 2007):
- Symantec documented 2,526 vulnerabilities, 73 percent of which the company classified as high or medium severity.
- 66 percent of the vulnerabilities affected Web applications.
- 79 percent of the vulnerabilities were considered to be easily exploitable.
- 77 percent of the easily exploitable vulnerabilities affected Web applications; 7 percent affected servers.
- 94 percent of the easily exploitable vulnerabilities were remotely exploitable.
The Symantec data also showed that 56 percent of exploit code was released less than a week after a vulnerability was published, but enterprise vendors took an average of 47 days to release patches for vulnerabilities. You can read the Internet Security Threat Report at http://www.symantec.com/threatreport.
Why are there so many bugs in application code? Michael Sutton, security evangelist at SPI Dynamics, recently told me, "We've never asked programmers to develop secure code—we've asked them for features and to deliver code on time. Now we're changing that, and it's a tall order." SPI Dynamics is working with The SANS Institute on a recently announced SANS initiative to develop secure coding assessment and certification exams that developers can take to gain Global Information Assurance Certification (GIAC) Secure Software Professional (GSSP) status or simply to find out where they might have holes in their knowledge or skills.
The four exams cover C/C++, Java/Java 2 Enterprise Edition (J2EE), Perl/PHP, and .NET/Active Server Pages (ASP) and are designed to measure a programmer's expertise in finding and correcting problems in code that could lead to security vulnerabilities. Developers will be able to take the exams in a proctored setting (typically at a university or community college) to receive the GSSP designation or online to test their skills unofficially. Large companies such as Symantec, Juniper Networks, Siemens, and Tata Consultancy Services have helped devise the tests and will use them to train and test their developers. You can find out more about the exams at http://www.sans-ssi.org/.
With these large companies and their teams of programmers on board to learn secure-programming practices, we can hope that we'll soon see a new era of more secure applications. But that doesn't mean vigilance isn't still in order for security administrators. Patching applications and hardening servers will probably always be on your list of things to do. To help you identify and fix potential problems with PHP in particular, check out these recent Security UPDATE email newsletter columns, which point to resources for securing PHP:
—Renee Munshi, Security Pro VIP Editor
Microsoft Launches Forefront Client Security
Yesterday, Microsoft announced the release to manufacturing of its antivirus and antispyware solution for desktops, laptops, and server systems. The company says Forefront Client Security will be available for purchase July 1.
Forefront Client Security, which includes an agent component and a management console, uses the same anti-malware technology (scanning engine and malware definition updates) as Windows Live OneCare and Windows Defender. This technology is supplied by the Microsoft Malware Protection Center, a new Microsoft group responsible for researching and responding to emerging threats. As I write this, the Malware Protection Center Web site doesn't seem quite operational, but the beta version might be working by the time you read this. You can check it out at http://www.microsoft.com/security/portal.
Forefront Client Security is available on a subscription basis and is priced starting at $1.06 per month for the security agent and $205.66 per month for the management console.
For more information about Forefront Client Security on our Web site, go to:
"Microsoft Security Comes to the Forefront" (brief introductory article)
"The Inside Story on Forefront Vista and XP Security" (podcast interview with Josue Fontanez, Microsoft senior product manager)
"Forefront Client Security" (detailed article about the public beta—you'll need to be a Windows IT Pro subscriber to read this one)
April 2007 Articles in Print-Friendly Format
If you're someone who prefers your newsletters in printed form, check out this .zip file. It contains all the security articles (in .pdf format) and code posted on the Security Pro VIP Web site in April. Print and enjoy!
Coming this Month
"Enterprise Event Logging for SMBs" by John Howie
These event log collection and management tools might have been designed as enterprise solutions, but SMBs with extensive logging needs will want to explore these products.
This article is now live on the Web.
"Vista's ActiveX Installer" by Russell Smith
Used in conjunction with Group Policy, this new service gives you authority over which ActiveX controls least-privileged users can install.
Coming May 10.
Toolbox: "Icacls" by Jeff Fellinge
Icacls is the new and improved version of the Cacls tool. Use this command-line tool to audit, modify, save, and restore file permissions.
Coming May 17.
Randy Franklin Smith answers your Windows security questions.
Coming May 24.
Reader to Reader: "Tips to Secure Your Backup Tapes" by Gregory W. Smith
As part of your disaster-recovery plan, you regularly perform full backups of your data and store the backups offsite. Here are some tips to make sure those backups are as secure as possible.
Coming May 24.
New on the Security Pro VIP Forum
New in Remote Desktop Connection 6.0, you can span a session across two computer screens. Learn how in this tip on the Security Pro VIP forum. This forum is your place to ask questions about security topics and about articles posted on the Security Pro VIP Web site and to get answers from other forum members, including Orin Thomas, forum moderator, and article authors. Let's talk!
Share Your Security Tips and Get $100
Share your security-related tips, comments, or problems and solutions in Security Pro VIP's Reader to Reader column. Email your contributions to email@example.com. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.