This is my list of the Top 10 security stories of 2007. Since I am a Web Application Security guy this list is slanted in that direction for sure. If you think something should be in my list that I missed post a comment!

10. Penetration Testing Goes Prime Time - No this is not a Tiger Team fan site! I liked the show and looking forward to more episodes and hopefully a few that go more on the computer side.

9. iPhone Hacking Reveals Security Press Whores - I knew this was going to happen and it is really kinda silly. A new device comes out and it is going to have problems. Yes they are cool hacks but you could still smell the press whoring dripping off of some of these.

8. Cross Site Request Forgery Goes Mainstream - Creating an article that diggs itself was just the start. PDP discovered a way to backdoor Gmail accounts via XSRF in April. XSRF has been around for a while under a few different names. Expect big scary things from it in the future.

7. PCI tip toes into Web Application Security - PCI has flirted with Web Application Security with it’s standard for a while. That flirtation continued with the nebulous and specific section 6.6 which says check our code or get a web application firewall. This is a best practive that will be made a must do in 2008. I hope they make it clear by then.

6. McaFee buys another network scanner to kill - In October McaFee announced the acquisition of ScanAlert. I covered my thoughts here. McaFee still has money and needs to diversify from their core AV business. I suspect more news in 2008.

5. Web Application Space Consolidates - First IBM acquires Watchfire, then in a fit of jealous rage HP acquires SPI. Neither of these seems to be spectacular valuations but I am sure the founders made out OK. This leaves Cenzic has the only pure play desktop scanner out there. They are clearly going insane, with there lame attempt to cash in on the virtualization craze. (I still laugh when I read that release.) It remains rather unclear where HP and IBM are going although it seems likely that SPI will end up part of Mercury and Watchfire will end up part of Rational. If the products remain as standalone offerings though is unclear.

4. Full Disclosure Dies - 2007 will go down as the year full disclosure died. Crappy treatment from vendors and now web site owners has driven the good guys out and the only people left are the bad guys that are in it for the money. Which leads to…

3. Russian Business Network gets more light shone on it - Scott Berinato wrote a great series of articles covering the shadowy world of the Russian Business Network and the groups it supports. Amazing stuff and blows my “kids from russia” quip out of the water. These guys are good and for real and are raking in the big bucks.

2. Web Application Security continues to rise - I have been in this space for 10 years now and it seems to have gained more exposure this year than the previous 9 combined. A full track at BlackHat, tons of coverage in the security media, and a general understanding from the CIO crowd makes 2008 look like a breakout year.

1. TJ Max leaks most credit cards in history - Really could there be any other #1. This article gives a good overview of how bad it really was inside TJMaxx. Sadly TJMaxx still had issues well into the year. They finally paid up to make it all go away.

Well there is my list of the top security stories of 2007. If you have any to add post them in the comments.

Post from: Grumpy Security Guy

Top 10 Security Stories of 2007