Was reading another article today in a study discussing whether data thefts can be prevented.
I agree that many businesses could do more if they tried and I also think the apps can be secured appropriately if they wanted to. Now in my previous life before MSFT I did a few consulting jobs in eCommerce applications. On more than one occasion companies chose the cheap way out rather than opting for security. In one instance a customer didnt want to spend the money on an additional SQL Server license for the DMZ (to replicate a subset of the data to from internal to external) so they allowed traffic to go straight from the App Server in the DMZ into the internal network’s SQL Server. What happens then if the web application is compromised? They have access into the internal network! In this case what is the point of a DMZ?
With companies still choosing the cheap way out its no surprise articles like this are written. Until companies take security seriously, are prepared to spend the money to do it right and take the potential business risk in account we will still have a risk of data theft.