Companies spend billions of dollars every year to build, buy, and outsource software development. But yet, we continue to read about another high-profile company reporting another major security breach that is often linked back to their software. Many of today's attacks are targeted, and yesterday's signature based approach simply isn't good enough any longer. Attacks are often multidimensional in nature, including social engineering and phishing techniques coupled with zero-dayvulnerabilities and techniques that use the inherent vulnerabilities of the Internet and your infrastructure against you.
A real-world example of this would be web-based applications that are deployed in a secure manner, all the patches are applied, security logging and monitoring is in place, secure socket layer (SSL) encryption was used, and solid information security defense in depth practices were followed. What's the problem? Too often, simple vulnerabilities in the application code are the root source of major security breaches. I recently wrote an article outlining injection vulnerabilities that illustrates how easy it is for unauthorized attackers to take advantage of simple oversights in your coding practices. Even large corporations with sizable security and IT budgets continue to make this mistake as evidenced by the continual reporting of significant security breaches.
On October 1, 2012, a hacker group called "Team GhostShell" published the personal records of students, faculty, employees, and alumni from 53 universities including Harvard, Princeton, Stanford, Cornell, Johns Hopkins, and the University of Zurich on pastebin.com. The hackers claimed that they were trying to "raise awareness towards the changes made in today's education", bemoaning changing education laws in Europe and increases in tuition in the United States.
In July 2012 a hacker group was reported to have stolen 450,000 login credentials from Yahoo!. The logins were stored in plain text and were allegedly taken from a Yahoo subdomain, Yahoo! Voices. The group breached Yahoo's security by using a "union-based SQL injection technique".
In May 2012, the website for Wurm Online, a massively multiplayer online game, was shut down from an SQL injection while the site was being updated
In June 2011, PBS was hacked, mostly likely through use of SQL injection; the full process used by hackers to execute SQL injections was described in this Imperva blog.
On June 1, 2011, "hacktivists" of the group Lulzsec were accused of using SQLI to steal coupons, download keys, and passwords that were stored in plaintext on Sony's website, accessing the personal information of a million users.
Over a period of 4 hours on April 27, 2011, an automated SQL injection attack occurred on Broadband Reports website that was able to extract 8% of the username/password pairs: 8,000 random accounts of the 9,000 active and 90,000 old or inactive accounts.
On April 11, 2011, Barracuda Networks was compromised using an SQL injection flaw. E‑mail addresses and usernames of employees were among the information obtained
On March 27, 2011, mysql.com, the official homepage for MySQL, was compromised by a hacker using SQL blind injection
On February 5, 2011 HBGary, a technology security firm, was broken into by LulzSec using a SQL injection in their CMS-driven website
I see the smart organization's moving towards an intelligence-based approach for identifying their most relevant threats, and they truly understand the risks of deploying applications that face the Internet. Because of the lack of maturity in the industry, organizations are building their security intelligence efforts in-house and often times do not have a formal process to review security vulnerabilities as part of their SDLC or business process. The internal approach for security intelligence and secure code reviews will not scale because you cannot hire enough smart people and build enough tools to adequately address the scope of the problem. Any of the major research firms such as Gartner, Forrester, and IDC confirm this line of thinking.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
TUGG Fundraiser 2013 | Boston. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For TUGG Fundraiser 2013 | Boston
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for TUGG Fundraiser 2013 | Boston.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
TUGG Fundraiser 2013 | Boston. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to TUGG Fundraiser 2013 | Boston
Please sign in with LinkedIn to continue to TUGG Fundraiser 2013 | Boston. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Veracode's Brennan on the Benefits of Security-as-a-Service
Companies spend billions of dollars every year to build, buy, and outsource software development. But yet, we continue to read about another high-profile company reporting another major security breach that is often linked back to their software. Many of today's attacks are targeted, and yesterday's signature based approach simply isn't good enough any longer. Attacks are often multidimensional in nature, including social engineering and phishing techniques coupled with zero-dayvulnerabilities and techniques that use the inherent vulnerabilities of the Internet and your infrastructure against you.
A real-world example of this would be web-based applications that are deployed in a secure manner, all the patches are applied, security logging and monitoring is in place, secure socket layer (SSL) encryption was used, and solid information security defense in depth practices were followed. What's the problem? Too often, simple vulnerabilities in the application code are the root source of major security breaches. I recently wrote an article outlining injection vulnerabilities that illustrates how easy it is for unauthorized attackers to take advantage of simple oversights in your coding practices. Even large corporations with sizable security and IT budgets continue to make this mistake as evidenced by the continual reporting of significant security breaches.
On October 1, 2012, a hacker group called "Team GhostShell" published the personal records of students, faculty, employees, and alumni from 53 universities including Harvard, Princeton, Stanford, Cornell, Johns Hopkins, and the University of Zurich on pastebin.com. The hackers claimed that they were trying to "raise awareness towards the changes made in today's education", bemoaning changing education laws in Europe and increases in tuition in the United States.
In July 2012 a hacker group was reported to have stolen 450,000 login credentials from Yahoo!. The logins were stored in plain text and were allegedly taken from a Yahoo subdomain, Yahoo! Voices. The group breached Yahoo's security by using a "union-based SQL injection technique".
In May 2012, the website for Wurm Online, a massively multiplayer online game, was shut down from an SQL injection while the site was being updated
In June 2011, PBS was hacked, mostly likely through use of SQL injection; the full process used by hackers to execute SQL injections was described in this Imperva blog.
On June 1, 2011, "hacktivists" of the group Lulzsec were accused of using SQLI to steal coupons, download keys, and passwords that were stored in plaintext on Sony's website, accessing the personal information of a million users.
Over a period of 4 hours on April 27, 2011, an automated SQL injection attack occurred on Broadband Reports website that was able to extract 8% of the username/password pairs: 8,000 random accounts of the 9,000 active and 90,000 old or inactive accounts.
On April 11, 2011, Barracuda Networks was compromised using an SQL injection flaw. E‑mail addresses and usernames of employees were among the information obtained
On March 27, 2011, mysql.com, the official homepage for MySQL, was compromised by a hacker using SQL blind injection
On February 5, 2011 HBGary, a technology security firm, was broken into by LulzSec using a SQL injection in their CMS-driven website
I see the smart organization's moving towards an intelligence-based approach for identifying their most relevant threats, and they truly understand the risks of deploying applications that face the Internet. Because of the lack of maturity in the industry, organizations are building their security intelligence efforts in-house and often times do not have a formal process to review security vulnerabilities as part of their SDLC or business process. The internal approach for security intelligence and secure code reviews will not scale because you cannot hire enough smart people and build enough tools to adequately address the scope of the problem. Any of the major research firms such as Gartner, Forrester, and IDC confirm this line of thinking.
