DEF CON Survey Reveals Vast Scale of Cloud Hacking - And the Need to Bolster Security to Counter the Problem

SAN MATEO, California, August 24, 2010 - An in-depth survey carried out amongst 100 of the elite IT professionals
attending this year's DEF CON 2010 Hacker conference in Las Vegas recently
has revealed that hackers view the cloud as having a silver lining for them.

And a gold, platinum and diamond one, it seems, as an overwhelming 96
percent of the respondents to the Fortify Software-sponsored poll said they
believed the cloud would open up more hacking opportunities for them.

This is being driven, says Barmak Meftah, chief products officer with the
software assurance specialist, by the belief from the hackers, that cloud
vendors are not doing enough to address the security issues of their
services.

"89 percent of respondents said they believed this was the case and, when
you analyze this overwhelming response in the light of the fact that 45
percent of hackers said they had already tried to exploit vulnerabilities in
the cloud, you begin to see the scale of the problem," he said.

"While 'only' 12 percent said they hacked cloud systems for financial
gain, that still means a sizeable headache for any IT manager planning to
migrate their IT resources into the cloud," he added.

According to Meftah, when you factor in the prediction from numerous
analysts that at the start of 2010 20 percent of businesses would have their
IT resources in the cloud within four years (bit.ly/7dvygF), you begin
to appreciate the potential scale and complexity of the security issues
involved.

In the many predictions, he explained, 20 per cent of organizations would
own no appreciable IT assets, but would instead rely on cloud computing
resources - the same resources that 45 percent of the DEF CON 2010 attendees
in the survey cheerfully admitted to already having tried to hack.

Breaking down the survey responses, 21 percent believe that
Software-as-a-Service (SaaS) cloud systems are viewed as being the most
vulnerable, with 33 percent of the hackers having discovered public DNS
vulnerabilities, followed by log files (16 per cent) and communication
profiles (12 per cent) in their cloud travels.

Remember, says Meftah, we are talking about hackers having DISCOVERED
these types of vulnerabilities in the cloud, rather than merely making an
observation.

DEF CON has evolved considerably since the first event was held way back
in 1993, and the hackerfest in the last couple of years has attracted 8,500
of the world's top hackers and IT security researchers. "Anecdotal evidence
suggests this year's Las Vegas event was even more successful, meaning that
our survey results highlight the very real security challenges that lie ahead
for cloud vendors and security defense professionals," he said.

"More than anything, this research confirms our ongoing observations that
cloud vendors - as well as the IT software industry as a whole - need to
redouble their governance and security assurance strategies when developing
solutions, whether cloud-based or not, as all IT systems will eventually have
to support a cloud resource," he added.

"It is of great concern to us here at Fortify that the message about
software assurance has still to get through to everyone in the software
development community, and the DEF CON survey results strengthen our resolve
to get this message across to as large an audience as possible."

About Fortify(R)

Fortify's Software Security Assurance products and services protect
companies from the threats posed by security flaws in business-critical
software applications. Its software security suite - Fortify 360 - drives
down costs and security risks by automating key processes of developing and
deploying secure applications. Fortify Software's customers include
government agencies and FORTUNE 500 companies in a wide variety of
industries, such as financial services, healthcare, e-commerce,
telecommunications, publishing, insurance, systems integration and
information management. The company is backed by world-class teams of
software security experts and partners. More information is available at
www.fortify.com or blog.fortify.com. Find Fortify on
Twitter: @Fortify.

Lisa Croel, Fortify Software, +1-650-378-5072, lcroel at fortify.com