Verizon Business recently released its 2008 Data Breach Investigations Report, covering more than 500 different security breach incidents occurring in the past four years. It's a fascinating read and should be mandatory for business and IT professionals alike.

The report should be of assistance to those attempting to decide whether to comply with requirement 6.6 of PCI DSS by deploying an application firewall or engaging in code reviews. The answer? Both are necessary; not because the standard requires both, but because employing both will provide the best coverage across a varied set of attacks.   Verizon's report indicates that web applications are a significant percentage of the venue exploited in the incidents studied.


As if that weren't bad enough, of the 59% of all attacks resulting from hacking and intrusions, 39% were targeted at the application layer.

Breakdown of Hacking/Intrusion Breaches

Attacks targeting applications, software, and services were by far the most common technique, representing 39 percent of all hacking activity leading to data compromise. This follows a trend in recent years of attacks moving up the stack.

Verizon attributes the rise in breaches deriving from hacking with this nugget of truth: "many tools are available to help automate and accelerate the attack process". The question, then, is why aren't more organizations garnering help automating and accelerating the defense process by deploying a web application firewall?

What Verizon's research should do is scare the crap out of you. Seriously. But what it should also do is provide a sturdier soapbox on which security professionals can stand when they're trying to explain that yes, code reviews and web application firewalls are both A Very Good Idea. With attackers moving "up the stack" at an alarming rate, it seems only prudent that security professionals employ All Means Necessary to prevent their organization from being showcased in Verizon's next data security breach report.

Imbibing: Water