Thursday, April 24, 2008

Too Common

The recent mass exploitation of web sites via a blind SQL injection attack (http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx , http://isc.sans.org/diary.html?storyid=4294 ) is disturbing in the fact that it's nothing remarkable any more. The amount of sites presenting themselves as targets due to vulnerabilities that we've known about for years is astounding. Buffer overflows, string format attacks, cross-site scripting, SQL injection attacks are all things that could be prevented with secure coding practices. Makes one wonder how much of the multiplied billions spent on network security each year could be redistributed back to the business or at least spent taking the security posture to the next level. That is, if businesses were to ever aggressively enforce secure coding practices and make it not a priority, but a mandate, it might happen. Far too much of network security is spent trying to detect, prevent or clean up after attacks that shouldn't be a major issue anymore, if security were applied at the application development level consistently.

No comments:

Blog Archive