Insanity – Doing the Same Thing Over and Over Again Expecting a Different Result

A Gartner study indicates that 75% of security breaches are due to flaws in software. Primarily because those applications have been put together as quickly as possible in order to get a working system out there, without due regard being given to the security implications. We all see this on a daily basis. The arbitrary dates are set for a new system / application rollout without fully defining requirements and without considering security. Someone in corporate cloud determines a revenue number that trickles down to a delivery date for a series of applications to rollout generating the right numbers. 

Researchers with the applications security testing specialist estimate that 71 percent of all the vulnerabilities reported worldwide during Q4 2007 were related to Web apps — affecting everything from servers to browsers — representing a three percent increase over the previous quarter. The directional metrics here are going the wrong way.

As the hackers continually attempt to up their game, the securities and futures industry in the US recorded, in 2007, a 150% annual increase in the amount of suspicious activity detected on its systems. Really makes you wonder if it is just watched or if something is actually being done to thwart this activity. The most common attacks are: 

 

• SQL command injection

• LDAP injection

• Shell command injection

• Interpreted data injection

• OS command injection

• HTML/XHTML injection

• Cross-Site Scripting (XSS)

• Session hijacking

• Session token brute-force attacks

• Session cookie manipulation

• Session replay attacks

• SSL/TLS protocol manipulation

• URL path & file guessing

• “Forceful browsing”

• Path traversal attacks

• Log data injection

• Resource exhaustion attacks

• Hidden field manipulation

• Client-side scripting bypass

• Personalization and state cookie manipulation

• Buffer overflows

• Developer back door access

• Format-string attacks

According to Garter, 90% of IT security spend is on perimeter security such as firewalls. This demonstrates that CIO’s still don’t get it and CISO’s are not pushing CIO’s to get it. The perimeter is gone. Why spend there?  Why not write proper code? Why not fix the software? Why not examine the real costs that rushing the code out the door costs? 

Unless coders begin to improve their techniques for writing Web applications, the situation is likely to get worse before it gets better, experts said (Cenzic), as the continued demand among business users for new Web-based business tools and a lack of ‘proper’ development skills fuels the issue (along with the desire for revenue at all costs). Do you think anyone really looks at what the carnage and fallout costs are for securing the application after the fact is?

The main targets of today’s hackers are e-commerce web sites and the customer databases behind them. Databases that hold credit card numbers, expiry dates, PINs, addresses, and everything else that’s needed to empty a victim’s bank account. Their operations are so slick that stolen data is exploited within seconds of it being submitted by unwitting victims.

IT spend is estimated to be ~$1.2T in 2007 with 4.2% of that or $50B going to IT security spend. Of the $50B, 90% or $45B is going to perimeter spend. Costs of reported breaches ($32B from the chart above) is 72% of what we spend on the IT security at the perimeter. 

Do you think we would see a significant decrease in the number of data breaches and records stolen if we shifted our spend to actually writing proper code and protecting data at the source instead of at the edge? I think it is time we gained a few IQ percentage points and stopped the insanity.