Skip to main content
March 22, 2012

Verizon Data Breach Investigative Report 2012 -- Application Security Specific Highlights

Verizon just released its 2012 Data Breach Investigative Report which contains findings contributed by global agencies such as the U.S. Secret Service, the Dutch High Tech Crime Unit, the Irish Reporting and Information Service, the Australian Federal Police and the London Metropolitan Police. I thought it would be good to put together a quick summary covering application security specific highlights in the report. Enjoy! 81% of attacks utilized some sort of Hacking. Within hacking there is a stark difference between large and small organizations. SQL injection comes in 3rd after use of stolen login credentials and exploitation of backdoor or command and control channel. It is tied with dictionary attacks. This data shows large organizations have much more application security risk than small organizations. Hacking Methods Source: Verizon DBIR Report SQL Injection comes in 8th overall for threat action when malware, physical, and social engineering are included. Threat Action Types Source: Verizon DBIR Report This breakdown by larger organizations in this year’s DBIR helps highlight our target customer pain much better. 10% of all hacking breaches were web application related for all orgs but 54% for large organizations! How can a large organization not have a web application security program after seeing this data? Hacking Vectors Source: Verizon DBIR Report And finally SQL Injection makes the top list of risk reduction recommendations. Our recommendations will be driven off of Table 8, which is in the Threat Action Overview section, and shows the top ten threat actions against larger organizations. Rather than repeat the whole list here, we’ll summarize the points we think represent the largest opportunities to reduce our collective exposure to loss:

  • Keyloggers and the use of stolen credentials
  • Backdoors and command control
  • Tampering
  • Pretexting
  • Phishing
  • Brute force
  • SQL Injection

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.