How we protect you... Yeah, how?

Seriously, I don't get it. It is 2009, the network firewalls have been here fore more that twenty years and people (information security professionals, no more no less!) still make those amateur assumptions that they will solve all their security problems.

I've been reading HSBC's "Security guarantee" on their website (http://www.offshore.hsbc.com/1/2/international/internet-banking/how-we-protect-you) which states that they use the most advanced security systems and software to protect customer accounts including: Combination of user name and password Encryption (that would be https) Network firewalls SSL certificate (that still would be https)

Now that is secure, is not it? Well, no… Since application has access to the database, a skilled hacker would use encryption to bypass network firewalls (since firewall can not inspect the encrypted traffic) and user name/password fields could be used perform phishing, Cross Site Scripting (XSS) and SQL injections (diagram above).

In a year 2009, application security should be on the CISO agenda and network firewalls should be left to network administrators. Web applications should be protected by Web Application Firewalls (WAF), by constantly reviewing the source code to detect vulnerabilities and by training software architects and developers.