The SysAdmin, Audit, Network, Security (SANS) organization provides the best security training and those associated with the group help security practitioners collaborate on defensive strategies. The SANS report corroborated the Veracode report, stating that web applications accounted for over 80% of all vulnerabilities. SANS also noted that application vulnerabilities now outnumber vulnerabilities discovered in operating systems. This report showed a graph of how Microsoft Server Service Buffer overflow (MS08-067) comprised a large number of attacks. The report also shows a graph of how Apple vulnerabilities are expanding and how QuickTime was the most targeted application. This report confirmed that the US is both the target and the source of many HTTP and SQL injection attacks. This report also showed how many organizations are failing to apply Microsoft OS patches even after 60 days of the patch's availability.
Conclusions
As technology becomes more popular the threats against that technology increase because it gains the attention of the attackers. This is true for social networking, PDFs/Flash, Macs, and virtualization and might someday be true of IPv6; as a technology becomes more popular its target value increases. In 2010 we should watch out for attacks against mobile devices like smartphones and netbook operating systems.
Hopefully the organizations publishing these valuable reports can help turn the tide and help security practitioners collaborate and share ideas. It is clear that the attackers are collaborating. Reading the current wave of annual security reports will help you and your organization see where the current threats are emanating and how to create a strategy to protect yourself in 2010.
Scott