There are two important assertions in this Dark Reading coverage of the SecTor conference in Toronto: Buffer overflows are still the most common bugs and the hype that Microsoft's security has improved is at least somewhat justified.
The assessments were made by Telus, a company that provides analysis to security vendors. The buffer overflow finding is a bit surprising because of the attention that is being paid to flashier Web 2.0 application vulnerabilities such as cross-site scripting (XSS) and SQL injection.
The numbers cited on Microsoft: The number of high security vulnerabilities sunk from 175 last year to 129 during the first 11 months of 2007 (which would give it a prorated total of slightly more than 140). Critical bugs also went down, from 20 in 2006 to eight so far this year.
The security terrain clearly is getting more rugged, however, due to the emergence of Web 2.0. This ComputerWorld piece relates comments from Petko Petkov, a security researcher who addressed the Open Web Application Security Project US 2007 conference hosted by eBay earlier this month. Petkov said that new technologies are very dangerous and offer hackers many opportunities. He said that it took only one day to build a "Web-based attack infrastructure" based on Google Mashup Editor. The last half of the story describes some of the approaches hackers could take. Overall, the news isn't good. Said Amorize CEO Wayne Huang:
Nobody realizes the potential for abuse...When it happens, I think it's going to be on a very massive scale and very hard to stop.
It's nice to see folks agree. However, it's too bad that the subject upon which they concur is the dangers of Web 2.0. This Silicon.com piece starts out with a Yankee Group assessment that Web 2.0 is "heading for a slow-motion security train wreck."
The vulnerabilities are not new, the piece says, and relate to inherent problems in the way browsers are designed. The basic landscape, says an executive with Fortify Software, is that the high level of interactivity means a lot of data is in play at a given moment in time and that much processing is being done in the client, which often will be less secure.
The piece relates three recommendations from Forrester: users should re-examine security policies in the face of threats from the Web; improve user-awareness and use technologies such as Web filtering, behavioral analysis and outbound content control.
This McAfee blog balances the by-now familiar security fears of unfettered use of consumer Web 2.0 services in the enterprise with the common sense realization that the the new applications can be a boon for business. Thus, a balance must be struck. IT and security managers, the story says, need to plan for this. The writer provides three things decision makers should consider: They should keep an open mind towards embracing the benefits of Web 2.0 for the business; define an acceptable Internet use policy that includes Web 2.0 applications; and use content filtering to block unapproved sites.
The increase in browser-based vulnerabilities is real and scary. It would be even more frightening if Microsoft wasn't stepping up its security game. Despite the good news out of Redmond, IT managers and security forces clearly need to rethink their security approach in an increasingly threatening landscape.