Greater than 80% of current vulnerability attacks target applications, including browser plug-ins, says Microsoft’s Dave Ladd, citing data compiled by IBM’s X-Force. The principal security program manager for Microsoft’s Trustworthy Computing group contends that attacks have recently moved to the applications space because hackers are abandoning operating system attacks as OS vendors take steps to vastly increase security.
Ladd also stresses the need for software companies to incorporate security into the development process. “Finding a bug at design time is a heck of a lot cheaper than finding after you have deployed an application”, he affirmed.
Microsoft does offer documentation on its Security Development Lifecycle process, which is free for download. The company also offers a simplified SDL process document that can be used by organizations of any size.
When asked why Microsoft would help potential competitors develop more secure products, Ladd responded by saying it’s a matter of creating a safer ecosystem. “Security is a neutral ground”, he noted, adding that his company’s customers often don’t make a distinction between bugs that cause applications to crash, and instead simply assume that the problem lies in the Windows operating system. And, aside from the reputational issues, Ladd said that, “frankly, it’s the right thing to do.”
Brad Arkin, director of product security and privacy at Adobe, agreed with this assessment. “The number of attacks on the platform have been decreasing, while the number of attacks against third-party apps running on the platform have been increasing”, he concurred.
Arkin acknowledged it has been a rather difficult year for security issues surrounding Adobe products, especially the company’s popular Reader product.
“Why do you attack Adobe software?”, he asked rhetorically. “Because that’s where the users are”, Arkin said, referring to the ubiquitous presence of Adobe’s Acrobat Reader, which commands overwhelming market share among PDF reader products and is run on more than 98% of desktop systems.
“Pretty much everyone on Earth uses our software” Arkin proclaimed. “This creates a rather interesting attack surface for bad guys to go after.”
The Adobe product security director says that attacks against applications are not just a dilemma for his company, but an industry-wide problem. As Arkin noted, however, Adobe does face a unique challenge: “The fact that we have some of the most widely deployed software on Earth puts us squarely in the middle of these types of attacks.”