Introducing Web Application Security - Secure Java: For Web Application Development

Java Reference

In-Depth Information

Figure 3.3

Internet blog about McAfee's HackerSafe Web sites being hacked.

he attackers were said to have used an SQL injection attack * to steal information from UCB's

databases. We will discuss SQL injection and other common Web application vulnerabilities

and attack vectors in Chapter 5.

he other cost of a security breach would be the ines and other legal sanctions that come with

it. Entities would be subject to large ines and severe legal sanctions when they are seen as negligent

and are successfully breached. For instance, if a merchant organization is storing, processing, or

transmitting credit card data and is not compliant with the PCI-DSS (Payment Card Industry

Data Security Standards), payment brands like Visa, MasterCard, Amex, and so on will levy sev-

eral ines on the merchant who has been noncompliant with the requirements of the standard as of

the date of breach. TJ Maxx, the retailer that was the victim of a massive card breach, where over 45

million credit cards were exposed, was subject to a penalty of over $40 million, which was imposed

by Visa and other card-processing companies and issuing banks. According to reports, in the year

2006, Visa assessed ines to the extent of $4.6 million, which was a steep rise from their 2005 igure

of $3.4 million, levied on organizations that were noncompliant with the PCI Standards.

3.2.2.4 Reputation and Customer Protection

We have already explored the reason for reputation being the key driver for information secu-

rity and Web application security. We also discussed how the reputation of an organization or

its brand could be adversely afected by a security breach. he hacking and security breach of

HackerSafe sites serves as a prime example. A few of the sites certiied by McAfee HackerSafe were

hacked, and this information was posted all over the Internet. † his caused a great loss of brand

value for HackerSafe. In fact, after CardSystems, a major credit card processing company in the

United States, reported a breach of over 40 million credit cards, MasterCard reported a 40% dip

* SQL injection is a Web application attack, where the attacker enters crafted SQL queries into the input ields

of the Web application, causing a vulnerable Web application to reveal sensitive database information. We will

discuss SQL injection in detail in Chapter 5.

† Article on the Web sites containing HackerSafe being hacked—http://www.informationweek.com/news/

Internet/showArticle.jhtml?articleID=205600099.

Search WWH ::

Custom Search

Home