Software Applications, the targets of vulnerabilities


I was just reading Soma’s blog post How vulnerable are software applications? and it really makes you think about how and what you create as an application designer.  According to a 2005 FBI survey, U.S. businesses lost $67.2 billion because of cyber crime, estimated in 2006 were $49.3 billion.

While these numbers are staggering in themselves, in our June 2007 Microsoft Security Intelligence Report, we see that less then 10% of these vulnerabilities were targeted at the Operating System.  All the others were targeted at the application layer.

I would strongly suggest you read through Soma’s post as there are some very valuable pieces of information in it.  Including what Microsoft is doing to help fight against this using our Microsoft SDL (Security Development Lifecycle).

The best thing that you can do at this time is make sure you are educated as best as you can on what you can do in your corporation to help fight cyber crime.

There are some great tools online other then the SDL.  Here are a few that I have found useful:

kick it on DotNetKicks.com

Comments (5)

  1. You’ve been kicked (a good thing) – Trackback from DotNetKicks.com

  2. Chris says:

    Perfect, exactly what I needed.

  3. Francois says:

    I work as a .NET developer and architect consultant and I definately do know a thing or two about security, at least when using a Microsoft based environment (though I’m not clueless about the Unix world either), and one thing that strikes me the most, is, between all of the companies I worked for (and that is a lot in the current decade), NONE (zip, zero, nada) took security seriously.

    Some of them made software for -banks-!!! (not in the most critical sectors mind you, but still), some developed ERP systems that managed EVERYTHING in the company (from order entries to book keeping, going by HR and pay systems), -many- had sensitive information posted on the net (like their -entire- sale history, every single item ever sold, to whom, how, by who, for what price… and the only security was a simply plain text <6 character password, no SSL, nothing).

    No matter what I’d do to convince any of them, I’d get answers such as “BAH! Its an internal application…no one from the inside is going to try to hack it!” (Yeah, with 55000 employee, not a SINGLE one of them will be a bad guy, right? RIGHT?).

    Often, security would end up being flagged as a requirement after a lot of effort of my part to convince upper management… until user comfort gets thrown into the mix “You don’t expect me to have to remember a password that has a mix of letters and digits, do you?” (coming from the big boss…so everything goes down the drain).

    Simply put, I don’t have any data, but I’d be guessing that the vast amount of hacking being done isn’t gonna be targeting big well known software from the outside… it will come from the inside, target internal homebrewed apps, and is being done by the same person you were teaching how to use a mouse last week. Corporate culture simply makes it too easy… the awareness is just not there.

    Thats my view of it at least… I’d be interested in knowing if my experience is the norm, or the exception…

  4. tomchris says:

    Francois,

    Thanks for the comment and I look forward to hearing from others.  Hopefully things are starting to get better and this isn’t the norm.