A new study of 15,000 organizations by the SANS Institute finds the biggest risk facing most systems is unpatched vulnerabilities in applications. The study finds that applications, not operating systems, have become the primary target of attack. And that means many IT executives will have to reshape their priorities and work harder to deal with this kind of vulnerability that has been neglected.

Many IT execs have become lax about applications and the need to keep them secure, according to the study. Typically, flaws in applications go unpatched for much longer than OS vulnerabilities.

"On average," the report says, "major organizations take at least twice as long to patch client-side vulnerabilities as they take to patch operating system vulnerabilities. In other words, the highest priority risk is getting less attention than the lower priority risk."

IT shops are also lax in dealing with vulnerabilities in applications running on web servers even though web server-side applications are the target of more than 60 percent of all Internet attacks, the report says. These vulnerabilities let attackers compromise web sites and these hostile web pages then are used to exploit application flaws, the report says. It is a maze that is difficult to untangle especially at a time when cybersecurity is top issue for any company relying on a network.

But it is a warning worth responding to, and it is time for every IT security expert to take an inventory of system vulnerabilities and step up to fix them.

For more on the SANS study:
- see this Business Week article
- see this GovInfoSecurity article

Related Articles:
Serious flaw discovered in Microsoft IIS
Microsoft to release five critical updates today
Eight-year-old critical bug found in Linux kernel