Welcome to my new monthly column on eBizQ. I’m really happy to be here because what you do (which is predominately application architecting, building, and supporting) is really the lifeblood of an IT shop. What I do, which is protect data and secure the technology infrastructure, should be transparent to the end users. If I’m doing my job, then you shouldn’t even know that I’m there.

But I’m getting the cart a bit ahead of the horse. My name is Mike Rothman and I’m a security industry analyst for a research firm called Security Incite. I write a daily newsletter, contribute to a number of online and offline publications, and do a lot of other writing and speaking about security topics. I’m an advocate for end users, so that means I think about the security problem from your perspective – not from the vendors that are trying to sell you stuff.

I’m particularly interested in application security issues because that’s where the most significant exposure continues to be. There are all sorts of statistics out there that upwards of 80% of attacks target applications directly. More disturbing is over 7 out of 10 websites are vulnerable to cross-site scripting (XSS) attacks (source: White Hat Security). A full 9 out of 10 are vulnerable to some type of attack. That’s just scary.

It’s not interesting for hackers to go after networks or servers anymore. It’s too hard. The security defenses implemented on most corporate networks are working fairly well. Protecting the application layer? Not so much. That is clearly the path of least resistance for the attackers.

I hang with a number of hackers and they ALWAYS go after the application first. It only takes them a few minutes to gain access and then they have carte blanche to compromise the database and pretty much every other resource on the internal network.

Developing secure applications is a known science, by the way. It’s not a technology issue; it’s a commitment and training issue. The sad truth is that most developers/engineers don’t know where to start. They don’t know how to build software securely and for the most part, they don’t care. It’s not that they really don’t care, but developers are under the gun. Corporate management isn’t going to extend the delivery timeframe for a new mission-critical application because it needs to be built securely. Maybe it should happen, but it doesn’t.