[vezzy-fnord]

Web application cracking really isn't all that difficult in our current age, especially with sufficient dedication and manpower, as the SEA certainly has.

There's simply so many vectors to get in. Every layer of technology you add is a potential layer of vulnerability. The state of security is appalling and people have been repeating this for so many years, but few other people listen (or they simply pretend to listen and convincingly appear as if they've taken precautions).

I doubt most of them have any particularly good coding skills. Large-scale Middle Eastern hackers and website defacers are primarily script kiddies. It's just that they have a lot of willpower and time to run vast automated attacks.

Actually a lot of high-profile attacks like this don't even involve exploiting the actual web application. Rather, they hijack nameservers, socially engineer domain registrars or find some external avenue or service to get in by enumerating open ports, seeing what's juicy and searching for exploits. They also phish a lot.

Information security is a very complex and intriguing field, but when it comes to merely cracking web applications from a purely practical point of view, it's relatively easy and especially so now that any wannabe hacker can just burn Kali Linux on a CD and read some tutorials on using tools.