crazylazy.info

txtWhen it gets business - I mark it as "management" issue and that's what I associate with "soft skill". In fact having soft-skills is important in IT when it leaves the server room and gets into risk management, policy enforcement, attack and fault trees, systematic assessment of physical security infrastructures... you name it. Analysing security just by IT purposes is doing 1% of it - nevertheless I tend to concentrate on hard and technical skills. But that's just me I guess.

In case of WebApplication security matters directly meet business structures, thinking of Shopping Carts in Webshops, eBay, Amazon... big business these days. When it's about money on the internet, it's about SSL these days - and SSL has it's own requirements in case of huge loads and hardware matters.



So now talking about WebApplications and their security economy, here's an interesting industry view:

Seventeen million programmers are churning out an estimated 102 billion new lines of code per year. Add 162 million websites online, with 809,000 using SSL (an indication of valuable data) and the problem becomes apparent. Researchers estimate that roughly one security defect exists per 10,000 lines of code and nine out of 10 websites contain one or more serious vulnerabilities. If only 1 percent of security defects are exploitable that means we are generating 102,000 zero-days per year - we just don't know where most of them are. Even if 90 percent of the SSL websites contained only a single issue, 728,100 website vulnerabilities are already in circulation, and we don't know where those are, either.

Source: csoonline.com

This article is very recommended here.


The massive attacks affecting WebApplications, speaking of SQL injection, XSS, Authentication Bypassing Exploits, Phishing, you name it, cost money. Massive SQL attacks on these applications don't just cost trust. Trust in technology isn't easy to lose if you're a big company and things are depending on you. In fact there's no need for trust as long as it doesn't sell.
So we're not talking about what customers think: we're talking about saving money if things are getting fixed with code reviews or if things get secured afterwards (worse) with WebApplication Firewalls and other solutions.

After I read the article I assumed that cheap WebApplications, being written with short deadlines, are affected. A good Java backend, with a input-verificated argument passing and exception handlings, instead of cheap PHP and MySQL stuff can save money. In fact there're better solutions - but they're an investment - maybe being worth thinking about.