The Application Layer is Where the Action Is…

I thought this particular “hacker” article was pretty interesting. Thanks to Dr. Anton Chuvakin’s “Security Warrior” blog for pointing it out.

Once you look beyond the manifesto hype, you can really get a feel for what it represents. It represents a call to action to remind security professionals that the game has changed. The network and systems that it is composed of remain but a part of the security equation. The real target of the attackers that represent the REAL THREAT is the data that the network and systems hold.

Attackers have definitely moved up the stack. They do not care that most organizations are still focused on the network layer and more than a few are still trying to get the basics of that right. In fact, it simply empowers them more.

Today, attackers are focused on the application. That is true whether you look at holes like SQL injection and XSS or at the browser vulnerabilities that are at the root of a majority of malware and bot-net activity today. Today’s attackers have excellent tools for exploit development that have seriously changed the security landscape. More attackers understand the deeper nuances of computer science than ever before. Man security teams and professionals are lagging behind in knowledge, resources and capability.

One of the big reinforcers of this ideal to me was a presentation I gave a few weeks ago about application security. During the research for it, I found that according to several sources, a HUGE amount – roughly a third – of all reported security incidents last year involved SQL injection and XSS. Almost 2/3s of all reported incidents were web-application focused. Clearly, there is no denying that the attackers have moved up the security stack – the question is – have the defenders…

What are you, your security team and your security partners doing today to ensure that your data is protected tomorrow?

Leave a Reply