Well, it's official, we're all another year older now.

Welcome to 2009, and what I can only hope will be a great year in information security.

I'm sure you've all read your share of scary predictions for 2009, from vendors, journalists, bloggers and such so why should I deprive you of my thoughts?  Rather than making some obvious statements about what 2009 will bring and linking them to my company's revenue stream in a sneaky way (everyone already does that) I'm going to be outright about it.  This isn't going to be rocket science nor will my prediction be revolutionary... but here it is:

One of your web applications will be penetrated in 2009.

That's right, I said it, mark your calendars.  One of the many, many web applications or web services platforms will be broken into, and the scary thing is you probably won't even notice.  Maybe you'll notice if the attacker messes up and causes you some downtime, but it's more than likely you'll never notice.

 What do I recommend you do?  It's simple:

1. Produce a written policy, authorized and endorsed by your top-level management for a web application security program
2. Educate your developers and staffers on web app development security best-practices 
3. Get tested.  Hire an outside party to penetration test your mission-critical applications and services to find your holes
4. Implement a program based on people, process and tools to help streamline, automate, and integrate security into the SDLC