Right now about 85 percent of all legitimate Web sites are compromised by malware in some form or another. Yet when it comes to making these sites and the applications more secure, we do almost nothing. Instead, we spend billions, if not trillions of dollars, on making our infrastructure more secure in order to protect ourselves from all the malware in the Web.
Perhaps the time has come to focus on treating the actual disease, rather than continuing to spend a fortune on trying to relieve the symptoms. In the case of security, that would mean concentrating on making our Web sites and the applications that run on them more secure so they could not be compromised in the first place.
According to IBM's X-Force security research team, half of all vulnerabilities identified had something to do with Web applications. And attacks on those vulnerabilities continue to grow. For example, SQL injection attacks rose 50 percent in the first quarter of 2009 compared with the fourth quarter of 2008, and then doubled again in the second quarter. IBM also said it has seen a 508 percent increase in the hosting of malicious Web links.
IBM's research also shows that about half the attacks are simply aimed at gaining access to systems. But 14.52 percent of the attacks are aimed at manipulating data, while 8.47 percent were after specific information. So in addition to the cost of security infrastructure, any IT organization that is eventually compromised can also expect to incur millions of dollars in potential costs associated with a data breach.
There are a number of commercial and open source application scanning tools that help Web developers identify vulnerabilities. The problem is that most Web developers don't use them. And the people that run the Web sites know that it will cost them a small fortune to go back and fix all the vulnerabilities in their existing applications.
More importantly, they also know that there are no financial penalties for deploying Web applications that are easily compromised. And therein is the problem. We can do little to dissuade people who want to attack our Web applications, but we don't have to make it so easy for them to do it, either.
Developers need to be held to a certain security standard before they deploy applications on the Web that can be used to harm the rest of us. This is no different than any other requirement we put on people in the name of the public good. Such steps won't eliminate security threats altogether, but it sure will go a long way toward reducing them.
Obviously, it would take Congress a while to get around to investing in the appropriate agency to conduct such reviews and impose fines. But maybe in the meantime some enterprising souls could start analyzing Web sites with an eye toward identifying sites that have first been compromised and, secondarily, have vulnerabilities. Once these sites were identified, there's nothing quite as effective as public humiliation when it comes to getting people to change what can only be described in this day and age as irresponsible and reckless behavior.