You can find the list of vulnerabilities reported to the US CERT system in 2005 here: http://www.us-cert.gov/cas/bulletins/SB2005.html
They list 5,198 vulnerabilities that were reported through their system, a number reported as a record amount. Windows reported 812 flaws, 2328 flaws were reported for various flavors of Unix, including Linux and Macintosh OS X, and 2058 were reported that affected multiple operating systems.
At first blush, this is “just another” story about security gone awry. We view this, instead, as an opportunity to look at what this means and as a valuable piece of information in how we advance security in 2006 and beyond. It stands as a reminder that security must be considered at every level of an application, down to the code running on a user’s workstation.
As a CISSP Instructor, Michael teaches other professionals about application security on a regular basis. The seemingly ironic part about that is that Michael is not, and does not consider himself to be, a coder. Nevertheless, the principles he teaches can, and must, be applied at even the lowest levels, and earliest stages of an application’s development.
Stories like this remind us that a lot of applications today are developed in an effort to solve a problem and quickly get to market. Many follow code processes, project plans, and go through design specs.
This is the same process that needs to be used whether you are writing code, installing and configuring a system, or designing and deploying a network. If the security of the data is considered and integrated at every step of the process, it inevitably leads to an increase in stability of all three legs of the triangle, confidentiality, integrity, and availability.