When it comes to my technical expertise in IT security, I’m generally familiar enough to know I should not pretend to be an expert. However, that has not kept me from getting a lot of valuable insight at the RSA conference this week. RSA has provided me the opportunity to hear a lot about the security threats out there, a little about how they work (including a really cool Conficker presentation by IBM’s Tom Cross), and a lot about what the industry is doing to combat these threats.
The most enlightening bit of information for me came when I listened in to a short presentation delivered by the IBM X-Force team. IBM X-Force is a team of thousands of security researchers and experts who are constantly researching and evaluating vulnerabilities in IT systems. They turn this research into countermeasures in IBM products, and they use it to educate the public at-large about dangerous vulnerabilities in their IT systems.
This team puts out reports at various points in the year that detail a wide range of vulnerabilities and their pervasiveness throughout the IT world. At RSA they provided an overview of their 2009 year-end assessment (which you can download here), and it contained some interesting insights into the state of IT security.
For the purpose of the report, the X-Force team describes vulnerability as “Any computer-related vulnerability, exposure, or configuration that may result in a weakening or breakdown of the confidentiality, integrity, or accessibility of the computing system.” The X-Force team saw a significant decline in the number of disclosed vulnerabilities they analyzed. In all, 6,601 new vulnerabilities were scrutinized as opposed to well over 7,000 in 2008. Tuesday continued to be the day with the most vulnerability disclosures, the weekends were the slowest, while the slowest and busiest months came in November and December respectively.
The report contains information about various types of vulnerabilities, but the piece focused on web application vulnerabilities is particularly interesting. Overall, the number of disclosed vulnerabilities in web applications grew in 2009. The first half of the year saw exponential growth (standard fare over the last 5+ years), while data from the second half may suggest a slight slow down in the increase. The report cites the most common web application vulnerabilities as cross-site scripting, file include holes, and SQL injection.
It’s doubtful that anyone is surprised to learn those three culprits make up the largest percentage of web application vulnerabilities, but what is a bit surprising in regard to those vulnerabilities is that from 2008 to 2009 only cross-site scripting increased its share of the pie. In 2008 cross-site scripting accounted for a little under 30% of disclosed web application vulnerabilities. In 2009, this percentage was closer to 40%. This is quite an increase especially when you consider that this is arguably one of the most widely-known, well-understood types of vulnerabilities for applications.
I’m not usually one to write much about security, but the web application vulnerability results have clear implications for cloud computing. Cloud computing did not start the notion of delivering applications via the internet, nor can one consider any web application to be a cloud-based application. However, there is little debating that cloud computing is leading to the production and use of even more web-based applications. On the brink of what should be a rapid and considerable increase in the number of web-based solutions, these vulnerabilities only increase in importance.
If you are in the business of either delivering or consuming web applications, it is critically important to understand the vulnerabilities that exist, especially those most common. For consumers of web applications (read all of us), not only is it important to understand the vulnerabilities of those web applications, but it is also helpful to understand the threats that exist for clients. The report also has this information. Ignoring the threats and vulnerabilities will not make them go away, so get proactive and check out the IBM X-Force report for 2009.