[tetrad]

The vulnerabilities which I'm aware of in regards to the Sony breaches were all SQL-injection based. There are readily available tools which perform automated tests bombing a website with various SQL injection techniques, which I imagine is how they were found by the attackers.

It is negligent to run a website that contains the personal information of thousands+ people and not run a tool like this or do similar analysis to identify these problems. Fixing them may be another matter (although for SQL injection it should be a matter of sanitizing all of your input and parameterizing all of your queries), but I think the ball is in their court in terms of not knowing about them.

[tptacek]

The idea that every team (in-house and outsourced) in Sony that owns an application has a security resource, or that the central resource in Sony knows about every application, does not square with the reality of most of the companies I've gotten to know.

This is the same problem I mentioned upthread (trivial bugs sneaking into huge codebases), just generalized out one level.

The original comment I responded to asserted that "securing applications against these kinds of attacks is not difficult". Again: yes it is. I know companies who spend huge amounts of money trying to defend against simple attacks, and they are not 100% successful. It isn't just "not not difficult"; it isn't just "difficult"; it's one of the hardest problems in IT.