:: extra ::

Today, Fortify released it's first-ever analysis of open source java code. In our report, we analyzed four well-known Java packages: Hibernate, Spring, Struts and Tomcat.

The good news: these packages are by and large safe. The bad news: Developers are prone to incorporate open source code in ways that lead to vulnerabilities in their own software.

Big ups to our friends at Cigital who just launched a blog to call home: Justice League. We expect they'll push potent, piercing, perhaps poignant musings on security and not do any arguing about who gets to be Batman. It's about time someone entered the ring to counter Zorkul!

Justice League

Everyone understands software's prevalence - from managing complex supply chains to using cell phones to manage the intricacies of a teenager's social life. But how widely is it understood that there's a large, growing group of people solely dedicated to breaking into software? Hacking is no longer a hobbyist's sport. Breaking software has expanded beyond its amateur roots for two reasons:

1) Hacking is state sponsored - For example, there are regular reports on the ongoing cyber war between China and Taiwan. Taiwan regularly accuses China of hacking into defense ministry databases. In 2001, the US government set up a cyber unit "intended to make maximum use of 'cyber-weapons.'"

2) Monetization is the goal - in the past some hackers were simply happy to embarrass Microsoft. Today, the ability to steal credit cards is far more enticing.

Fundamentally, hacking is driven by simple economics. As the US Defense Security Service puts it, "The potential gain from even one successful computer intrusion makes [hacking] an attractive, relatively low-risk option--and the risk to sensitive information on US computer systems will increase." [Source]

For now, let's look at driver #1: State sponsored hacking.

I sat in PCI compliance seminar recently given by Visa.

According to the presenter, only a minority of companies are currently compliant:

Level 1 Merchant: 40%
Level 2 Merchant: 16%
Level 3 Merchant: 38%
Level 4 Merchant: Low (No specific number was given)

The numbers are quite low. Why?

Last week, I focused on governments that engage in hacking. This week, let's investigate the hackers who are in it for the money.

One misconception about professional hackers is that they work alone. In fact, they work in groups. The process begins as hackers actively "market" themselves on hacker websites, citing their expertise in, for example, spam. At InfoSec Orlando, a speaker from the FBI even showed how professional hackers even engage actively in marketing, producing commercials. Once the group is organized, they target specific things to attack and create the plan.