Grant Fritchey wrote:
I just presented a new session on SQL Injection at Techorama in Belgium and before that at SQLDay in Poland. As part of the prep, I did searches on recent breaches caused by Injection. There are so many. It's completely disheartening. The Georgia Tech one was bad. A worse one was iDressUp, a kids site. It's just nuts that we're dealing with this crap after 21 years of knowing how to fix it.
Yes, it's insane that it isn't taken more seriously. People will say that they take it seriously, but then not give the people what they need to do it correctly. They hire people who don't know, don't train them, impose unrealistic deadlines and then complain about how much stuff costs. It all starts with the education people don't receive and that feeds the hiring. Like Jeff says, "They know the cost of everything and the value of nothing."
The managers are also the ones to have CYAs and DKs lined up, cover things up for months after a breach occurs and then release as little detail as possible to the public. Just look how bad the the USPS or Equifax ones were. I have a presentation that has a "slide of shame" with some of the larger hacks and it's sad just how busy it is.
It's way past time for companies to take security seriously. The attitude of management and bad development practices have gotten the IT industry to where it is today.