Hackers aren't just picking on Microsoft

According to some research completed by SANS, online criminals turned their attention to antivirus software and media players like Apple's iTunes in the first three months of 2005 as they sought new ways to take control of users' computers.

On a news article I read on Yahoo, they had some interesting quotes I thought some of you may be interested in:

"Operating systems have gotten better at finding and fixing things and auto-updating, so it's less fertile territory for the hackers," said SANS Chief Executive Alan Paller.

Anti-virus products from Symantec, F-Secure, TrendMicro and McAfee, proved vulnerable as well, a prospect Paller found particularly discouraging.

"We ought to do better in our industry -- we should be a model for others," he said.

Amen. But this is an industry wide problem. Here is a poster I think I need to make for our office:

SECURITY PRODUCTS != SECURE PRODUCTS

Secure software programming is a discipline that all software vendors need to embrace. Not just operating system and security software vendors. And the issues of vulnerabilities in all software will continue to grow as hackers move on to easier and easier targets in popular applications that most people are using.

So none of us are immune. We need to be on our guard and write safe code. We need to follow the principles of secure coding and ensure our clients are not only safe, but secure in their business workflow with the tools they use built by us. And this has to have buy in from all stakeholders in the ISV, from the CEO all the way down to the junior programmer that is just starting up.