A SQL injection attack wreaked havoc and exposed 40 million credit cards from CardSystems, Inc. The attacker planted a job that harvested information from the database and sent it to an FTP server every four days. According to Bruce Schneier, this 2004 attack may have been the first time a data breach was attributed to a web hack; historically, data theft has been attributed to human procedural errors such as social engineering or mishandling of backup tapes.

The truth is, most flaws in application security can't be fully exploited without complementary flaws in the infrastructure. The CardSystems incident, for example, required both a SQL injection flaw as well as several permission and configuration problems on the database itself. This confluence allowed the hacker break through the application, upload his own code to pull database information, and send it a location he controlled. Beyond the flaws themselves, why didn't anyone notice for several months that large FTP transfers were occurring from the web servers toward an offsite location?

Web application flaws are prevalent, and they are becoming attractive targets as infrastructure becomes harder to penetrate with traditional methods. According to SecureWorks, an Atlanta-based research firm, database attacks on its clients have escalated to 8,000 per day in recent months. Further, according to Mitre's research released this year, SQL injection attacks account for 14 percent of reported vulnerabilities, which ...