So over the past 9 years I have have perfromed hundreds of penetration tests and code reviews and have also discovered hundreds of application security issues. Out of all of the issues I have discovered how many could have significant impact on the business or brand. maybe 10-20%?
There are many stats that come out on an annual basis from IBM, CSI, White Hat, OWASP etc which cover off statements such as “75% of sites contain a vulnerability” of “42% of sites tested had a cross site scripting issue”. Ok fine cant argue with that but how many of the vulns are useful to an attacker to perform an actual attack?
Brand damage is a major concern for organisations in relation to cyber security breaches. The actual attack or attempted attack does not do too much damage but if the media get wind of the incident it can be spun out of control.
I believe the “securing the parimeter” idiom is out of date and leads to a false sence of security. In my day to day work I am encountered by more and more organisations suffering loss but the attack vector is attacking the client not the organisations itself. Its more common than successfull SQL injection in my opinion and is a softer target.
PCI is totally inadequalte in relation to this type of attack and the best solution is careful design; such as using one time passwords (expensive), enfrocing business logic such that it is difficult to commit significant unauthorised transactions. Using out of band messaging such as mobile phone txts to inform the user a transaction has taken place. Is there even value depending on your business model to block particular IP blocks relating to a geographic area given you do not do business in that region?
