Skip to content

Point of View: $100MM cost of hacking

    

Many people think wires are the most secure way to send large sums of money. I’ve seen how many of these wires get processed, even wires for billions of dollars.  And it’s just like most other enterprise software — lots of vulnerabilities waiting to be discovered by hackers.

It’s a good example of what Andressen called “software is eating the world” - handling wires used to be a manual paper business.  Wires would get printed out and put into wire baskets (get it) on people’s desks as they worked their way through the various approvals required.  This process was relatively secure because an attacker simply couldn’t get access to these papers or affect the business.

It’s a good example of what Andressen called “software is eating the world” - handling wires used to be a manual paper business.  Wires would get printed out and put into wire baskets (get it) on people’s desks as they worked their way through the various approvals required.  This process was relatively secure because an attacker simply couldn’t get access to these papers or affect the business.

But now this business is almost entirely automated. This has great benefits, most of all that I don’t have to go into a branch office and wait for hours to get a wire sent.  However, it creates a lot of risk that attackers can break into these systems and steal information or money.  Sometimes it’s difficult to see these risks because they aren’t always concrete.  But remember that when you automate, you almost always dramatically increase the pool of possible attackers.  That means you’re going to need a lot more defense and assurance work to make sure it’s protected.

For the record, I don’t buy into the idea that you can only have one, security or convenience.  In fact, the more convenient automated version could certainly have better security than the old manual one.  But we just haven’t done very well at ensuring that we maintain at least the same level of security when we automate things.  And that should be our touchstone for security — don’t allow things to get worse. 

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff Williams, Co-Founder, Chief Technology Officer

Jeff brings more than 20 years of security leadership experience as co-founder and Chief Technology Officer of Contrast Security. He recently authored the DZone DevSecOps, IAST, and RASP refcards and speaks frequently at conferences including JavaOne (Java Rockstar), BlackHat, QCon, RSA, OWASP, Velocity, and PivotalOne. Jeff is also a founder and major contributor to OWASP, where he served as Global Chairman for 9 years, and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many more popular open source projects. Jeff has a BA from Virginia, an MA from George Mason, and a JD from Georgetown.