The Impact of Application Security

A Gartner Group report [CSO online] estimates that employees of companies are responsible for more than 70% of the unauthorized access to information systems in those companies. It is also employees of companies who perpetrate more than 95% of the information systems intrusions that cause significant financial losses. The survey also highlights that a majority of organizations tend to see the importance of security only after actually suffering damage from security breaches. Real-life experience must generally occur before these organizations will allow architects and application developers to get involved with instituting security measures. Businesses are becoming more aware that computer security incidents can originate inside the organization as well as outside. Insider attacks are worse than outside attacks and are usually more malicious. The attacker abuses user privileges or steals application-specific administrator rights and then gains access to resources such as financial applications and other confidential information repositories. With the wide adoption of Internet-enabled applications, businesses and organizations are experiencing a growing rate of security-related damage, such as denial-of-access, exposure of confidential data, unauthorized transactions, identity theft, and data corruption. Most of these issues are more associated with application-specific security flaws and the failure of applications to defend against known threats.

According to an FBI survey [eWeek] of 500 companies, 90 percent said they’d had a computer security breach, and 80 percent of those said they’d suffered financial loss as a result. A 2003 Federal Trade Commission survey [FTC findings] found that 27.3 million Americans have been victims of identity theft in the last five years, including 9.9 million people in 2002 alone. According to the survey, businesses and financial institutions in 2002 lost nearly $48 billion due to identity theft; consumer victims reported losses of $5 billion. After some prodding, the University of Washington Medical Center [AMNews] acknowledged that a hacker had infiltrated its computer system and stolen the confidential records of thousands of patients. Another interesting story [online-kasino] comes from an online gambling casino, where a hacker gained access to the gaming application and corrupted the game so that gamblers could not lose. In just a few hours, gamblers racked up winnings of $1.9 million dollars.