Related White Paper

Extending XML-based Services Beyond the Perimeter

Who will win? The 1997 security model or the 2007 attacker?

As Deming said "It is not necessary to change. Survival is not mandatory."

Security industry ‘losing cybercrime battle’

The computer security industry is struggling to cope with new levels of sophistication in cybercrime, according to leading figures in the field.

“We are in a sense losing [the fight]; we cannot say that we are winning,” said Natalya Kaspersky, co-founder and chief executive of Kaspersky Labs, the Russian computer security company and anti-virus partner of Microsoft and Red Hat.

The company said the number of virus incidences had surged between 2003, when they detected just over 10,000, and 2006, when they found 80,000. Criminal activity accounted for most of that increase.

RSA, the security division of EMC, the data storage company, recently reported that the number of attacks by phishing programs, which enable the theft of personal and financial information, had reached 65,000 a month worldwide - double the number recorded three months ago.
...
“There’s a new type of threat that traditional security measures are not designed to meet,” said Dan Hubbard, vice-president of California-based Websense Security. “Frankly, the attackers have out-evolved the solutions.”

This is precisely because many programmers and architects have not evolved their security models and think that SSL and firewalls are all they need, software security in the main has not changed much since 1997, and all the Web 2.0 - Ajax, Rest stuff is guilty here, too, yet the attackers have evolved. It is a better business plan to evolve.

The steep rise in cybercrime incidents has been attributed in large part to the development of underground online communities, which sell and trade information about crimeware, such as phishing programs, or Ransomware, which encrypts files and then demands payment to decrypt them.

“Very sophisticated tools are commercially available in black markets,” said James Lewis, cybercrime specialist and director of the Center for Strategic and International Studies in Washington. “This has made [the internet] more attractive for organised crime: [criminals] no longer have to be geeks.”
...
In Lewis’s opinion, however, international law enforcement is “still very much in the 19th century … We probably won’t see a real improvement until we see a big dramatic crime.”

Hopefully, it doesn't come to that but it probably will given a Victorian age international legal system and 21st century technology. We won't see improvement until people begin to build security into their software.