Consider the top breaches of 2011 (and it’s only June as I write this). You have Sony at about 100 million records, Epsilon at about 60 million records, WordPress.com at about 18 million records and you have the hacks of RSA and HBGary who have some very high ranking government and defense agencies as clients with data that requires high security clearance. All these breaches took place by exploits of well known vulnerabilities.  Threats such as SQL Injection, Security Misconfiguration, misconfigured email have been in security top ten lists for over a decade and still persist in the year which might record the highest in data losses.  Apart from the organized crime and targeted attacks of cybercriminals you have vigilante hacker groups trying to expose the weaknesses of big corporations who until now view security as something additional and to be applied only after a vulnerability might be discovered.

According to the latest Verizon Data Breach Report, hacking accounted for 50% of the breaches and a whopping 89% of records stolen. Exploitation of backdoors or command/control channels accounted for 73% of the breaches resulting in 45% of stolen records and second to that was exploitation of default or guessable credentials accounting for 67% of the breaches and 30% of stolen records. Good old SQL Injection and Buffer Overflows accounted for breaches of 14% and 9% respectively and these should have been eliminated years ago but still run strong in this day and age of security advances. The response to the Playstation Network breach cost Sony approximately $171 million according to the report at zdnet.

But why let the vulnerability be around in the first place! As of June 28, 2011, Sony’s stock price dropped by as much as 30 percent following the hacking incidents (http://money.msn.com/business-news/article.aspx?feed=AP&date=20110628&id=13830293)

5 reasons to use ThreatModeler™:

• Allow developers and architects to identify threats and vulnerabilities with little or no knowledge of security.
• Enable development teams build a repeatable and scalable process.
• Development methodology agnostic and integrates easily into existing workflow.
• Identify threats with ThreatModeler™ and validate them with static analysis and vulnerability assessment tools.
• Market the software security as a competitive differentiator.