Tim Bray opines thusly on the state of web security
Of course some of these get into very sensitive security issues; but actually we’re getting pretty good at providing information on the Web in a secure way.
I have a more pessimistic view than Tim. 226 million and counting identity records breached says we are not so good at this stuff. I see evidence of good ideas coming in web security, the vast majority of which emanate from OWASP, but I don't see this being baked into mainstream web app developments and frameworks. This creates a bad situation that Brian Snow characterizes this way:
We will be in a truly dangerous stance: we will think we are secure (and act accordingly) when in fact we are not secure.
I think the problem is that developers think because they have come up with some minor security modifications they assume that is all that is necessary. Here is the thing - attackers evolve too. And the attacks are coming way faster than the security mechanisms. Its fair to say that the developers when they even get around to taking security semi-seriously are outgunned.
Developers focus on all the hard things to get somthing to work, but not the failure modes, and this is what attackers exlpoit. To wit: Web 2.0 Attacker Meme Map
The reality is that Web 2.0 functionality "secured" by a Web 1.0 security model against a 3.0 attacker is like smashing a rock on an egg.
To be fair a small number of the total compromised identities (rather than payment instruments) we really from websites. And, though computers feature prominently in many of the breaches many are stolen laptops, tapes, etc. Not the sort of things developers really can be held accountable for....
Posted by: Andy Steingruebl | May 06, 2008 at 12:19 AM
Andy - hmm...a small percentage of a couple hundred million stands to be a decent sized number.
Sure not all the issues are a direct result of poor web security. But let's look closer at Q1 2005(*), it looks like about 373,000 identity records breached that we know about. Basic crime statistic analysis says that we know about 10% of what actually occurs, so its reasonable to project the number is closer to 3.7 million for the first quarter of 2005.
*
Jan. 10, 2005 George Mason University
(Fairfax, VA) Names, photos, and Social Security numbers of 32,000 students and staff were compromised because of a hacker attack on the university's main ID server.
Number of records: 32,000
Jan. 18, 2005 Univ. of CA, San Diego
(San Diego, CA) A hacker breached the security of two University computers that stored the Social Security numbers and names of students and alumni of UCSD Extension.
Number of records:3,500
Feb. 25, 2005
PayMaxx
(Miramar, FL)
Exposed online
Number of records:25,000
March 8, 2005
DSW/Retail Ventures
(Columbus, OH)
Hacking
Number of records:100,000
March 11, 2005
Boston College
(Boston, MA)
Hacking
Number of records:120,000
March 20, 2005 Northwestern Univ.
(Evanston, IL) Hacking
Number of records:21,000
March 20, 2005
Univ. of NV., Las Vegas
(Las Vegas, NV)
Hacking
Number of records:5,000
March 22, 2005
Calif. State Univ.
(Chico, CA)
Hacking
Number of records:59,000
March 23, 2005
Univ. of CA.
(San Francisco, CA)
Hacking
Number of records:7,000
March 25, 2005 Purdue University
(West Lafayette, IN) Computers in the College of Liberal Arts' Theater Dept. were hacked, exposing personal information of employees, students, graduates, and business affiliates.
Number of records:1,200
(not included in total because news stories are not clear if SSNs or financial information were exposed)
Posted by: Gunnar | May 06, 2008 at 10:12 AM
Ok, but I don't have nearly enough details from those incidents to determine whether they were because of software defects or operational failures.
Could be perfectly up-to-date software and no vuln was exploited but the password was empty or whatnot. Sure maybe it was a not-secure-by-default type issue, but we don't really know.
I had a pseudo-proposal at the mini-metricon to try and gather more data about these to get more root-cause info. Sort of like the WHID - http://www.webappsec.org/projects/whid/ but for other security incidents.
Posted by: Andy steingruebl | May 06, 2008 at 11:01 AM