Illegal ID marketplaces are thriving in international chat rooms, message boards and Web sites that specialize in the trade of personal and financial data for crooks and thieves. And the TJX data theft, which handed over 47 million credit card numbers, was really just the tip of the data-theft iceberg.

The article goes on to describe someone who believes their identity first got hacked from their Paypal account several years ago, and who since then has had trouble keeping a lid on his identity. Basic advice on protecting your identity: keep a close eye on all your accounts, read your statements carefully, and also make sure you change your passwords (every other month is the recommended frequency), and make sure your passwords aren't easy to crack, like just writing password (uh-oh, I've got a few quick changes to make myself, there, now I'm back), and it wouldn't hurt to read our latest security feature, Encryption Protects Data -- Period.

What follows is my podcast with David Locke, Director of Offerings for IBM Rational, where we dive into the hot topic of the day, collaboration, and how IBM Rational's new Jazz collaborative technology is built for the flattening of the workplace (in this case software development), and how we're all pretty much expected to get our work done from anywhere and everywhere with co-workers half-a-world away. So give it a listen, or read the full transcript below.

Listen to or download the 9:18 minute podcast below:

Download file

--------- TRANSCRIPT ---------

First of all, David, can you just give me a quick overview of your announcement for IBM Rational’s Jazz collaborative technology?

You bet. So in this announcement, we’re announcing 11 new products based on the Jazz technology. So Peter, as you may recall, we’ve been working on Jazz for about two years. The development style of Jazz is what we call “Open Commercial”. So I’m sure your audience is familiar with Open Source. There’s many, many folks out there that want to contribute their abilities and their knowledge and their skills to creating better software.

The challenge with Open Source though is that there’s really no place to get training, no place to get support, and as some companies have merged to do that, they’re typically smaller vendors. In this case, with Jazz, what we’ve done is coined the term “Open Commercial”. Meaning we’re engaging the general public to help develop it but we will commercialize it.

And so two years ago, we started the Jazz Project and we’ve had over 14,000 people contributing to date. And as we’ve moved forward, the community has basically said, we’re ready for Version 1, and that’s exactly where we are and what we’re announcing here 11 new products of -- partially from IBM, partially from our partners that are based on the Jazz technology. Now, one of the premier products in this offering is Rational Team Concert. So this product is specifically focused on helping teams effectively collaborate in realtime.

Now, this might be difficult to answer, but what main problem does this then help address for a company.

No, that’s actually a great question, Peter. In the end of the day, software development and delivering software that really operates and runs your business is very much a collaborative effort. And if you think about the scope of the collaboration that has to happen to deliver the right software to organizations, it’s very broad.

Now, Rational has a history of delivering software to help the development teamwork more effectively together; it’s very important. But the scope is broader than that. If you think about what software delivery really is all about, it’s about automating business processes, trying to streamline companies approach to the competitive stance, being more nimble, to be able to change over time, and be able to acquire and divest different parts of their company, be able to change with technology.

All of these different aspects of business really require that collaboration happens with the line of business people, the marketing people, possibly the legal people, and definitely the technology folks in IT to make these things happen. So Rational Team Concert is all about providing that realtime collaboration. Rational Team Concert is what we call “Team Aware”, meaning as you create, for example, a set of requirements, these requirements then, of course, get passed into the IT side of the house to understand what it is you need to be built, or need to be acquired to fulfill that business set of requirements.

Well, as IT looks at those requirements, they may have some questions. Well, which business analyst actually developed those? Possibly the business analyst could be in Hong Kong, or could be in India, or could be down the street.

It’s hard to tell in this ever-flattening world as globalization is happening in our economy. And so Rational Team Concert provides this team aware approach to all of the artifacts that go into delivering this software all the way down to individual’s coders understanding which line of code has defects, all the way up to I’m looking at a set of requirements where some business models. And I don’t understand it, I need to I can then right click right inside of Team Concert and understand who developed it.

I can then open an instant messaging window, or a link to a wiki, or start a wiki, and I can actually use Web 2.0 type approach of social networking to find the right person that I need to collaborate with, start collaborating with, capture that collaboration for later use, and allow it to streamline and flow through the organization. Another key element of Rational Team Concert that helps address this is the process and workflow aspect, right.

So you can imagine that in every organization there’s some form of process. The business analyst does some modeling and hands it off to a system analyst, or and then it hands off to an architect, or down to developers, or some flow like that, right. Well, Rational Team Concert allows you to automate that flow and so it automatically creates a workflow based on the workflow in your organization.

And then helps you make it come to life and support that workflow in the organization. And then third, Rational Team Concert then allows you to look over the entire process project end-to-end and analyze how that project’s coming, or if you’re CTO, you want to know how all your projects are coming. It allows you to get realtime metrics into those projects. All of this is really around the challenges of globalization, the challenges of becoming more nimble at delivery the right software for the right challenge that the companies are facing today.

This seems like this is addressing the issue of a flattening world, you know, where I’m in New York and you are wherever you are, say you're in Hong Kong, and if we needed to work together for a couple for days, right.

That’s exactly right as different team members come and go because we acquire companies, and divest companies, as well as people moving project to project. Being able to understand what it is I’m trying to work on, and who I hand it off to, and automating that workflow, and getting the collaboration established so that I know who to talk to, to get things worked out is all about what Jazz is bringing to market here.

So what do you see for the future of this software collaboration?

With regard to the future, Peter, that’s a great question because in all we see is several different key transformations happening around this Jazz technology. One transformation is how teams work more effectively together, right. So as more and more of the Rational set of tools integrate with the Jazz technology, as well as other third parties companies take advantage of the Jazz technology, and the Jazz platform, we’ll see how development teams and software delivery teams really can work more effectively and more predictably together, right.

So we see a transformation in the organization how software development is done. Second, is an industry transformation. Now a good analogy here is the ECLIPSE world. So as I’m sure you’re familiar, before ECLIPSE, there were many different software development tools that did all sorts of great things but they did not have a common interface, they did not have a common underpinning to allow them to work more effectively together, the tools themselves.

In other words, ECLISPE has helped consolidate the desktop around a common UI, a common set of underpinnings so that these tools could work together even though they’re from disparate different vendors; that has transformed that desktop. Jazz is going to do the same thing. We already see that happening.

Jazz is going to do it from the sever side, if you will, the collaboration side of the equation. So in this announcement, not only did IBM release some new products, but we also have quite a few partners that have -- are releasing products on Jazz as well as having announced further support and new projects for themselves coming out on Jazz.

And if we compare how ECLIPSE has progressed over time as compared to where we are with Jazz, kind of looking at the same point in time, we’re actually further ahead in ECLIPSE in terms of starting to transform the industry around this collaborative platform. And that’s also why we made is open commercial. Right, so that we would have industry wide support for this common underpinnings because it really is the next key thing that needs to happen for our industry.

According to this article on InfoWorld that was based on a report by Symantec, an easy-to-use hacker toolkit has been updated to take advantage in a Microsoft's Access database system, ActiveX.

"Further analysis of these honeypot compromises has revealed that the exploit has been added to a variant of the Neosploit exploit kit, it will very likely reach a larger number of victims," said Symantec's report. "As is the case with most of these ActiveX attacks, they are being served by traditional Web sites that have themselves fallen victim to automated SQL injection attacks," Hittel wrote on a Symantec forum. "In the past, we have seen government, commercial, and hobby sites fall victim to these SQL injection attacks and subsequently begin serving exploits to each of their visitors."

Which makes me wonder what the sales pitches are like for these hacker tools...rob and steal and cheat without ever leaving your lair. Become a millionaire overnight with our major Microsoft exploit tool. Actually steal money that's supposed to go to Bill Gates. I mean, what are the cybercrooks gonna do if the hacker-ware doesn't work as planned, sue them?

Listen to or download the 10:41 minute podcast below:

Download file

--------- TRANSCRIPT ---------

First of all, just why don’t you just give me the top security solutions companies need to be concerned with today.

Well, I think the -- one of the greatest challenges is really comprehending the risk that we face in an ever-changing global environment. There’s no question that senior executives, in particular, have a very difficult time really understanding the context of risk, what the implications are and many times don’t know really what to do about it. I think that is one of the things that is really a necessity in moving forward.

The studies have shown that many companies really have applied more resources to deal with security but it hasn’t necessarily meant improvement because it’s more understanding what you didn’t know previously. So I think one of the big challenges is its really getting proactive, getting strategic to be able to more effectively manage security and have a stronger voice across the enterprise.

Too often, it’s a matter of picking up the headlines and getting together around a table the following day and saying, what are we doing about laptops, or what are we doing about social networking sites such as MySpace and Facebook, and what kind of risks do these present to us. And unfortunately, piecemeal security is always going to be lagging far behind and not have it in a strategic kind of mode of operation.

Now, why do you think companies need to employ more than just security technology?

Well, security clearly is about people. We can't really have a meaningful discussion of security today without considering the role of those who are actually handling the information. I’ve never had to slap a set of handcuffs on a printer, or copier, or laptop, or desktop, it just doesn’t happen that way.

Now, so how should companies then hold their employees accountable for security lapses?

Well, that’s -- I think that’s a great question, Peter, because to draw on a quote, one of my favorites, actually, from Adam Smith, “Mercy to the guilty is cruelty to the innocent”. And in my experience in interviewing spies and criminals who have sort of decided to try to make right their wrongs and have talked to us about their experience in conducting crimes within organizations, have said over and over that you folks had the greatest rules and policies and procedures in place but you don’t enforce them.

And so enforcement is one of the elements of security that has to stand on its own two feet. If a senior VP has decided to setup his home computer with confidential data and it’s not done in a manner that is consistent with security policies and procedures, then he’s got to be held accountable like everybody else. It’s not a matter of objectively applying security concepts. So it’s really a topdown, bottom up mandate that organizations first have leaders who get it, who really understand it, because I can assure you that there are others out there who do get it and understand the opportunity that lies in the world that we live in today.

Right. Now, as a former FBI agent, why do you believe that companies need to use counterintelligence tactics in their security model and exactly what are those tactics?

Well, securities and even law enforcement, Peter, is always behind, always lagging and reacting to what is occurring. And in our experience in the U.S., you may recall, we had a deeply entranced mafia organization that its existence was even denied by the FBI, that it was a national conspiracy, and after years and years of plodding along in the media and various sources, it became evident that there was such a thing and a national conspiracy.

And it wasn’t until that was exposed and readily recognized that we were able to be effective to deal with that threat. So in a nutshell, the mafia organizations in our country recognized that there was value in organizing their operations in these 24 families around the country because America was a big piece of pie. So they very strategically addressed it and we all know what happened.

It wasn’t until the ‘80s when we really comprehended the threat that we were able to get the Congress to enact laws that enabled us to effectively deal with this kind of a threat. It wasn’t until we had witness protection, and wiretapping protocol, and RICO laws, and things like, the right kind of tools to deal with the problem. And then, we had to change our approach.

We had to become strategic, we had to scale down the number of cases we were working and take out the big fish instead of a lot of little fish. So applying that kind of approach to the corporate environment today, we need to have some person or organization as another layer that’s looking across lines fault lines of the organization and has their eye on the ball from start to finish.

And we see this over and over today with organizations where know there’s good security policies, we know there are good controls in place, we know there is a good culture in place around security. Yet, we wonder how and an up and coming researcher or engineer can travel to another country, and then we later find out he was recruited and became a part of an espionage operation that compromised enormous amounts of proprietary information, and it happens over and over.

And I think that the problem is we have this failure to track content to run its lifecycle wherever it resides, in the paper, or the digital world. And I think that that’s a really important need today. And this layer of counterintelligence is one that is really independent of the other security structures within the enterprise such as risk management, and IT security, and so. And what this does then is provides another element of accountability to ensure that the palace guard, for example, is in order and acting appropriately.

Right. Now, it seems to lead to my next question is; how can a company incorporate document intellectual property security into their enterprise?

Well, I think that’s the -- clearly the direction of information security moving towards the management of content rather than documents. Documents are the containers of critical information. And now we recognize the importance of using technologies that enable us to manage content within a document throughout its lifecycle.

And this, I believe, requires a framework in which critical information, the innovation of a company’s future. The bloodline of a company is really needing to be captured within this framework that begins with a clear inventory of what the critical information is; a categorization of it to be able to effectively pigeonhole the information as it moves through its lifecycle.

Now we know that when a critical idea is spawned in R&D, it may be a matter of time before it moves towards production. And then all of a sudden we have marketing plans, we have all kinds of strategies that are trades secret in nature and need to be protected. So the categorization element of this framework is one that really enables us to get our arms around information that’s dynamic, that’s constantly changing and moving and in its value.

And then the next level is identifying it, which is really measuring it against the law. Is it a trade secret, does it measure up and meet the requirements of a trade secret under the law? And then classifying it, which of course enable any user to understand what is required of them in managing the information and handling it and then valuing it, and continuing this process to ensure that the information is effectively secured to round its lifecycle.

The standard model today is that critical ideals, and innovation, and information that really sets up the future of the company is managed in a patent office, with a legal department. And this needs to be integrated so that there is a clarity around the security goals and objectives to ensure that it’s not walking out the door and we see that over and over. As you well know, Peter, that information that is not effectively identified and controlled is likely to walk out the door with an employee that is charting the course of their career.

And that’s something that is really under addressed and needs to be more fully addressed. And what we do in the document world here in my experience with Xerox Corporation, is looking at the document in the context of what happens to critical content once it’s been accessed by authorized users. And we can have all the technologies in place for a very secure environment but what is the insider doing, those who have been entrusted with the information?

And there are no silver bullets to answer that question, obviously, but there are a number of things that we are looking to do in security printing technologies to help track paper and documents as it moves in and out of the paper digital world and really build a chain of custody around the content. And this the future, this is the direction that is going to be absolutely essential in securing a global and enterprise that is facing unprecedent competition.

As the Managing Editor of ebizQ now, I certainly have a first hand view of how technology buzz-words grow like kudzu through the corporate world, as virtualization itself, pretty much nonexistent 2 years ago, now shows up in the headlines of at least a quarter of all the press releases flooding my little old email account like those little fighter spaceships pouring out of the death star in one of the early Star War's flicks.

My take on it, everyone wants virtualization in their headline, but I can only imagine about a quarter to half of all those press releases really amount to a viable (read valuable) use of virtualization. And as virtualization is being pulled too-and-fro, back and forth, trying to mean all things to all vendors, virtualization has at least established a beach-head, but it will take awhile to truly define itself to the non-IT side of corporate America, and therefore virtualization security can only come in behind that.

How far behind? I think that depends on the extent of the attacks, and the one thing that has certainly changed is the number of attacks as well as the number of attackers. And as these hacktackers can easily turn on a dime just to steal your dime, which just might turbocharge the market for virtualization security.

OK OK, it's not called Rickles Spam, as in the insult comic who I think is still calling people 'hockey puck!' somewhere in Las Vegas, but the idea is that spam is now coming loaded with insults in the subject column. Why, you ask. Because insults get your attention, you idiot (see!).

Come to think of it, maybe spam is tired of being the red-headed step-child of the email inbox, tired of being blamed for all of the email inbox ills, and they've finally decided to seek some professional help, gain some self-confidence, and insult us right back.

The Times reports is that now that spam has pretty much covered all the deadly sins (lust, greed, tax avoidance), what they think will now get a rise out of you is slam spam, or better yet, Rodney Dangerfield spam, which is simply spam that will give you no respect.

So the next evolution in email, which seems to run hand-in-hand with human devolution, is spam telling you you're ugly, or that you stink, or, as Rodney himself would say, "Once when I was lost I saw a policeman and asked him to help me find my parents. I said to him, "Do you think we'll ever find them?" He said, "I don't know kid. There are so many places they can hide."

And when opened, what these emails deliver is a video.exe file that promises a video clip, but in fact contains a link to a site hosting malware that takes over the victims computer. So if you get any email with that says, "You stink," please don't open it...unless it's from your mother (sorry, that was just too easy).

A recent study by Verizon found that while a majority of breaches are executed from the external, it is often instigated because of a slip-up or security short-cut initiated by someone inside the company, and is usually a vulnerability that has been overlooked for a lengthy period of time. More specifically, the study found that 73 percent of data breaches resulted from external sources. This includes breaches caused by business partners, a source of vulnerability that increased fivefold during the study. Only 18 percent of breaches were caused by insiders.

The study also asserts that 62 percent of data breaches can be attributed to a significant error in internal behavior. Sixty-six percent of the breaches involved data that the victim organization did not know was on the system, and 75 percent of breaches are discovered by a third party, rather than someone inside the organization.

Verizon concludes that it's not always about complex security hacks that need sophisticated security measures to stop them, but what's really needed is a focus on the basics, i.e. security training. So most breaches are crimes of opportunity, as in, if you leave your keys in the car at the ballgame, don't be surprised when your car isn't there when the game ends.

And as ebizQ has just recently hired an excellent editorial intern named Jessica Mola, and as she's already learned all the difficult things to do (she's picked them up quite quickly, I might add), I guess it's time to go back and show her the security basics.

Listen to or download the 3:07 minute podcast below:

Download file

Listen to or download the 2:59 minute podcast below:

Download file

Well, OK, maybe a little hard to figure out, but I'm just trying to recreate the thudding base tones of the Jaws theme as the shark strokes closer and closer to some unsuspecting swimmer.

And as if it's any surprise, another report on Web security is trying to scream at us Web swimmers and Web enterprises, "Get out of the water NOW!!!"

OK, maybe it's not that bad, but the fact is that the web has become a much more dangerous place in the last year. And the reason for that is the SQL injection, and just to point out, our good security man Mike Rothman did a podcast about the scourge of SQL injection for your delectation right here.

Also, keep a look out this Monday, as Mike Rothman has a feature article coming up the dreaded SQL injection as well (along with the key methods of avoiding it).

According to this article at Search Security, threats to Web surfers have gone up 220% this May compared to May of last year, while compromised websites have increased 407% in the same period, while Web malware has increased 855%.

Yep, someone is definitely screaming SHARK! But hey, we're all still in the water. I mean, what choice do we have? Just stay as safe as you can, and learn everything you can about the threats, about stopping the SQL injection and securing your web applications, and hey, maybe it wouldn't hurt to put on a little shark repellent before you hit the rough waters of the Web.

You see, at the moment, 24/7 Security Pete and Pete the Managing Editor are having a hard time sharing the same brain bandwidth, and I'm thinking maybe it's the title...would you be more likely to read a blog called 24/3 Security (to be totally honest, I really only ever blogged 5 days a week). I tell you, though, these Managing Editor jobs sure are busy. It's like all of the sudden, I'm every PR agents' best friend, and they sure do ask a lot of their best friends. Or at least they sure do email you a lot.

I know, I know, enough with the backstory, let's get to the meat of the headline...what in the world are these six free security tools that are a must have. These tools are discussed on Network World, and while free isn't right for everyone, and I can certainly imagine the argument, after a system collapse, that the trouble with free is there is no one to blame (or take the fall), so in most corporate situations, well, you use free at your expense.

Real quickly, the six products are: MetaSploit, Splunk, Google, KeePass, Helix and Netwox. The article appears on Network World, and you can check it out right here!

Obviously, it's a problem when documents are popping up all wily-nilly when searching someone else's stuff (I mean, what if the document had private data on it). This essentially highlights a growing weakness for Web 2.0 in that, while it's no surprise that many SaaS applications have undiscovered weaknesses and vulnerabilities (which is why applications should be security tested before they're launched onto the web), what is a surprise is that many of these vulnerabilities remain undisclosed.

The author of the piece quickly informated Zoho of the problem, and they quickly fixed it, but when the author then checked to Zoho blog for any mention of the vulnerability, it was never brought up. Now I'm sure anyone whose ever been involved in a small company is well aware that you should never advertise your shortcomings, the problem with Web applications is that unmentioned vulnerabilities can only amplify the problem.

The problem is, this is essentially become standard operating procedure with SaaS applications (as Google and Microsoft routinely fix big bugs without any notification). And as it's their application running on their servers, it's pretty easy to see why they don't think they need to tell anyone. But as someone who is in the role of anyone, I sure would like to know the risks I don't even know I'm taking.

To read the full article from ZDNet, click here.

And if you live across the pond in Britain, tomorrow, Friday, is 'National Work from Home Day,' which corresponds with the U.S. version, 'Live in Your Office Weekend,' and to make sure that your work from home is safe and secure, the fine fellows (I'm trying to sound British here) at WorkLight have come up the following tips. And the last thing I'm going to say about the U.S. penchant for overwork is, I've always liked this line: If you don't come in on Saturday, then don't even bother showing up on Sunday.

Again, the tips for working securely from home from Worklight follows:

1. Use an approved computer for working at home. This way, the company has verified that the necessary protections are in place (up to date virus protection, approved VPN tools, etc.). This will protect you from introducing malware into your company’s environment inadvertently and it will protect you from your company’s ire if “something goes wrong.”

2. Make sure everything is updated. Before you start working on your computer or laptop make sure you turn on your automatic updates for your applications as well as installing the latest anti-virus and anti-spyware software to make sure you and your personal information is also protected.

3. Never enter your username and password on a page you arrived at by clicking on a link in an email, IM message, third party web site or social networking site. These are the tools hackers use most often to steal passwords.

4. When entering your username and password on any site, always verify first that the URL in the browser’s address bar matches the URL of the site you (think) you are accessing. This is the best way to ensure your password won’t be intercepted by some evil-doer.

5. Set limits about what you are willing to expose about yourself when working online and remember the context of the interaction (business or personal). Be wary, since embarrassing or inappropriate information about yourself may appear in contexts that you did not expect. It is very difficult to “clean up” your profile later on.

6. Social networking sites and blogs are business tools, make sure you are using a safe environment for professional networking. Treat the network as a resource of valuable information, and tap into your colleagues’ expertise with the collaborative tools available on the network.

7. Secret is not secured. Some social networks, like Facebook, allow users to engage in private or secret groups. Although these forums take place away from the public eye, apt hackers can still crack open the discussion boards and access conversations, unless appropriate enterprise-grade safeguards have been put in place.

8. When adding RSS feeds to a feed reader, always prefer to use a link you got from the content provider’s web site rather than from any third party (an email, an IM, a link on a social networking site etc.) This improves the likelihood that the information you are seeing is what the content provider intended.

9. When accessing corporate applications from a web browser, use a separate browser instance, not just a new tab or a new window opened from the browser you are using to access public sites. This makes it more difficult for hackers to launch request forgery attacks that target your corporate systems.

10. When using public sites for work related tasks, be aware of the information you expose. Keep In mind, the search queries you run, the sites you visit, your web-based bookmarks and tags, the RSS feeds you've subscribed to and your social network connections are all potential sources for data leakage.

11. When using Web based collaboration tools, avoid exposing proprietary information. Even when communicating with colleagues, the information you provide can easily become accessible to unauthorized parties.

12. Familiarise yourself with your employer's acceptable use policy for employee blogs and social networks. Adhering to such policies will help avoid any unpleasant situations. If your employer hasn't published such policies, demand them.

13. Keep personal and business “digital assets” separate. As personal lives and business lives merge, it becomes increasing compelling to do personal tasks on work time. Be careful not to merge these two lives on your computer. Some tips - use business time for business and do not store personal files on your business computer (and vice versa).

Download file

What follows is the transcript of my podcast with Sanjay Mehta, Senior Vice President of Sales and Marketing for Breach Security, where we discuss the ValueClick data breach, what happened, how it was the result of a corporate takeover, and how takeovers often results in unsecure, 'orphaned' applications.

Can you give me a general overview of the ValueClick security breach?

Sure. There were three main components in that breach. The first was just a simple violation of the CAN-SPAM Act, essentially centered around deceptive emails. The folks at ValueClick were passing out emails that were touting free gifts, pretty high dollar items like iPods or laptops. When consumers clicked through those ads to go to the websites to claim their free prizes, they were assaulted, if you will, with a large number of extra steps to go through including solicitation of paid for goods.

So that was the first area, and the area that the TFTC was originally tipped off on. The next was non-standard encryption. So they’re very well known standards for protecting sensitive information with encryption today. ValueClick was using something that is essentially was just a customer built character substitution. So if you watch any modern day movies where people are hunting treasure maps and trying to substitute characters, they were using a fairly similar method.

It doesn’t really encrypt the data, it just obscures it and anybody with even moderate skills can essentially translate that back and get the clear text data, so that was the second area. And then the third one was they were vulnerable to a very common type of application specific attack called the “SQL injection” where essentially somebody with malicious intent can put in certain character sets, if you will, to dump information out of a database or other data store.

Was ValueClick following acceptable security practices?

No, they really weren’t. So the spam thing is really a different issue, right. They are well known pieces of legislation on how companies can email solicit their customers, and they need to identify who they are, and the email address itself needs to be legit, and the physical address needs to be included so people know they’re dealing with a legit business so they made violations on that.

On the security front, the two areas, again, were the weak encryption and the SQL injection. So the application security phenomenon is, in general, new. It’s only been out two or three years in terms of real customer adoption. It’s been a topic of media and press on data leakage over a similar period of time, but more and more folks are rolling web apps out. So there are very commonly known industry bodies, if you will, where you can go get information on how to live up to best practices.

The most commonly referenced one is something called “OWAS”, the Open Web Application Security Project. And that gives the top ten things you need to be concerned about and things you need to do if you’re doing business on the web, two of those being SQL injection protection and encryption, and ValueClick came up short on both of those accounts.

So looking back, what should VauleClick have done to prevent this from happening?

A few things. Part of their challenge is something that a lot of companies face today, which is the application in question was one that they acquired from E-Babylon. So in today’s world where we’re all geared up for high competiveness and rapid growth, acquisition is a pretty typical growth strategy. When ValueClick acquires somebody or even “Bank A” acquires “Bank B”, you inherit a bunch of applications that you know very little about.

And as part of that competitiveness aspect to streamline the business, you let a bunch of people go. So these applications get inherited and then they’re what I called “orphaned”, right. The people who wrote the applications, the people who were previously responsible for securing the applications are no longer with the company, the applications are mission critical, they’re driving business and they need to stay online.

So now, you have new folks responsible for securing these things that they know nothing about. ValueClick was essentially a victim of that phenomenon where they brought over these apps from E-Babylon, they had poor encryption, they had susceptibility to very common vulnerabilities, and they needed to keep it online.

So what they should’ve done is sat down and gone through a comprehensive review of how that application’s protected, what it was, how often it changed, what its business features were, etc, and then deployed some sort of defense in-depth approach to secure the application. They’re -- an application security, there’s no silver bullet, it’s no different than network security.

You need a defense in-depth approach that starts with training your developers how to write securely, reviewing that throughout the development process to make sure code is being written in a secure fashion according to your corporate standards and industry best practices.

And then, once in production, making sure that you have the tools and techniques in place to detect the changes to the application and how that might be introducing new vulnerabilities. And also, just understanding what’s going on in the outside world and who’s targeting your application and your corporate data.

Now, with the FTC fine against ValueClick, what do companies need to know about complying with the government security requirements?

In the world of payment, in the world of web transactions, it’s actually much broader than just the FTC. So the government certainly has legislation around this and there’s certainly some precedent around fines. The more prominent movement is actually sponsored by the major card brands, and that’s PCI, the Payment Card Industry Initiative and they have something called the “Data Security Standard”.

And essentially, everybody’s pointing back to the same thing. So pointing back to something like the OWAS, that I referenced, at owasp.org, and complying with best practices to security web applications. Everybody’s looking at the same standards so it’s not hard for a merchant or anybody else doing business on the web to comply with multiple standards regardless of where they’re coming from as long as they do [0:05:43] best practices.

So the fines with PCI have been pretty severe. Companies are violating that, they’re getting fined $30,000 a month, they rates on credit card transactions are going up, and in the worst case, you’re actually getting dropped so you can't take cards anymore. So whether it’s a FTC fine that could result in millions of dollars of various things or actually losing your business, companies need to step up and protect their web applications the same way they protect their networks.

What part does your company, Breach Security, play in this process?

Yeah, Breach Security is squarely focused on the solving the problem of web applications security. So if you think of a network, networks are by and large static. Company to company, you have border routers, firewall, switches, load balancers, etc. And if somebody wants to attack a network, they attack it in roughly the exact same way.

So if you think back to five, six, seven years ago when all heard about the SQL Slammers, and the Blasters, and the NIMDAs, and the Code Reds, they were very wide spread mass propagating worms designed to wreak havoc across lots of networks simultaneously. If you think about the web application security world, every web app is unique. So instead of ValueClick, for instance, they’ve grown through acquisition.

Let’s say they have a 100 applications, for the sake of argument, each of those applications, even if built on a common framework of tools, has a unique purpose in the way an end user interacts with it is different. So to protect that web application, you need to understand its unique intricacies if you will.

So Breach Security focuses on delivering a suite of web application security solutions that not only have great detection of what’s going on from the outside world, right. Who’s trying to attack you? What vectors are they taking? But also understanding how the application itself works so you can protect it in the best way, and also complete the lifecycle so security folks can have cogent conversations with application developers about actual flaws not theoretical vulnerabilities so code can be secured at the core.

Now, so what do you see for the future then of application security?

Yeah, I think to broaden the question a little bit, folks are finally starting to look at security a little differently. Historically, we’ve looked at stovepipes of technology. So we’ve said, oh, we need a firewall. Oh, we need intrusion detection. Oh, I’d like to consolidate my data path a little bit so I’m going to jam all these various things into some sort of UTM device or a switch. But applications are bringing a whole business context into it, which is I need to do business on the web for the following reasons.

And to do that, I need to enable certain classes of users to do certain things. I need end users or consumers to come in. I need my extranet business partners to come in. I need my inside guys to come and access the web applications, all for different purposes. So I need different authentication routines. I need different authorization routines. And then once people come within those gates of authorization, I need to make sure that they’re only doing what they’re allowed to do.

So in web application, development, and production apps, people are taking a different look at the problem, which is what’s the core value here I need to deliver and then how do I secure that entire value chain from start to finish across my various constituencies? So I think that the market’s going to start consolidating, if you will, around a different mindset which is; it’s not all about jamming more stuff into a network, it’s about finding a business problem and then making sure that you can deliver secure access for that business problem and the easiest way.

Some of the interesting shifts noted this year are: 17% of the respondents came from Africa, Latin America, and Oceania (it must be a quite an eye-opener going online for the first time and seeing all the great and not-so-great things on the wild wild web) . Also, a majority of people see the growing need for security education. Some of the key findings follow below:

* Respondents came from the three major regions of the world: Americas (41%), Europe, Middle East and Africa (EMEA) (25%), and Asia-Pacific (34%). It is also interesting to note that this year, respondents from Africa, Latin America, and Oceania comprised 17% of the total respondents.

* Respondents from the Americas see a growing demand for education in security administration (53%), applications and systems development for security (39%) and telecommunications and network security (34%).

* Respondents from EMEA (Europe, Middle East, Asia) see a growing demand for security administration (40%), business continuity and disaster recovery planning (29%) and privacy (29%).

* Respondents from Asia-Pacific see a growing demand for security administration (54%), applications and systems development for security (36%) and telecommunications and network security (34%).

* Three-quarters of respondents see viruses and worm attacks as a top/high threat. Next in line for concern are hackers and inside employees as potential security threats.

* Three quarters of respondents view the impact of service downtime (73%) and damage to the organization’s reputation (71%) as top/high priorities. In addition, customer issues related to privacy violations (70%) and customer identify theft (67%) are a top/high priority.

The full report can be found The right here.