Last week Symantec released their 2008 Internet Security Threat Report (ISTR).  The report provides an analysis of worldwide Internet threat activity, vulnerabilities, malicious code, phishing, spam and activity on underground economy servers.

The ISTR contains a lot of interesting information and I’d encourage you to read it — I’m certainly not going to repeat all the findings here.  But if you’re an average Internet user wondering what’s going on, here is my greatly oversimplified summary:

Criminal activity on the Internet continues to increase.  Criminals are targeting your personal information, especially your credit cards and logins to your financial institution. They’re doing so mostly by compromising the web sites you visit and installing nasty stuff that downloads to your computer.

There are a lot of things you could do to protect yourself.  But the real question isn’t what you could do, it’s what should you do.  Here are my top five recommendations:

1. Ensure your anti-virus software is up-to-date.  If you don’t have an AV package, get one.  AVG, BitDefender, Kaspersky, McAfee, Nod32, or Norton/Symantec.  (In alphabetical order if you’re wondering.)  
2. Update your operating system and unless you have a very good reason not to, set it to update automatically.  A lot of systems are being compromised even though a fix was issued more than 6 months ago.
3. Back up data you don’t want to live without. Use removable media (CD, DVD, USB Flash drive, USB Hard drive) or an automatic Internet backup service like Carbonite.
4. Avoid the darker side of the Internet like gambling, porn, pirated software, illegally distributed movies, etc. They’re a haven for malware.
5. Don’t let your kids play on your work computer.

The vast majority of intrusions into personal computers are preventable.  Following these five simple recommendations dramatically reduces your risks.

For business readers, here’s an excerpt from the ISTR:

“Web-based attacks are now the primary vector for malicious activity over the Internet. The continued growth of the Internet and the number of people increasingly using it for an extensive array of activities presents attackers with a growing range of targets as well as various means to launch malicious activity. Within this activity, Symantec has noted that most Web-based attacks are launched against users who visit legitimate websites that have been compromised by attackers in order to serve malicious content. Some of the common techniques used by attackers to compromise a website include exploiting a vulnerable Web application running on the server (by attacking through improperly secured input fields), or exploiting some vulnerability present in the underlying host operating system.”

Sixty-three percent of vulnerabilities documented by Symantec in 2008 affected Web applications. The message to web application developers is clear: Many of you are not paying sufficient attention to security. As a profession, you are failing your customers.

I realize that’s a harsh statement and that in many cases web developers are responding to downward pressures on price and unrealistically short development timeframes.  But as a profession it’s time to step up to the security challenge and start designing web applications that resist and even tolerate some intrusions while still protecting sensitive information and users. Those users, after all, are your customer’s customers.

We must start paying more attention to security throughout the software development lifecycle.  That includes ensuring security requirements are identified along with other functional requirements for new applications.  In fact one of the problems is that we still consider security requirements somehow separate from ‘functional’ or ‘business’ requirements.  They’re not.

Perhaps this is one space where the open source community could play an important role.  Most web applications have common requirements like user account maintenance, authentication, priviledge management, session control and input validation.Yet every application developer seems to create their own and many make the same mistakes. Perhaps it is time for an open web application framework that handles these critical functions…and does it right.