The latest SANS Top 20 has been released and according to SANS the #1 issue impacting the security of your servers is the web application code that lives on top of it.
I agree with them (in a totally biased way of course) but the data they cite leaves me with an uneasy feeling. SANS likes to go by reported vulnerabilities. Reporting of web application vulnerabilities is basically non-existent outside of open source PHP applications. Every once in a while you will see a reported vulnerability in something like PeopleSoft or MS Sharepoint but a large percentage of the reported web application vulnerabilities are in things like Jim Bob’s PHP Guestbook 0.00001alpha and really who cares about that.
PHP include issues are most certainly bad but they are far from the most prevalent issue found in large enterprises. In our customer base we only have 22 PHP sites we scan out of around 650 sites today. There is just not a lot of PHP adoption in the enterprise, at least in our customer base.
So while I agree with the conclusion I feel leary about how it was reached.