"Remember when attackers were just out for fame and glory, and application security was someone else's problem? Big targets like Microsoft and Oracle drew the fire. All enterprise IT had to do was apply patches regularly and keep a properly configured firewall.
Those days are gone. Cracking corporate networks is no longer a kid's game, it's a lucrative criminal growth industry. The attackers who stole 45.6 million credit- and debit-card numbers from TJX Companies were professional enough to remain undetected for at least 10 months. Meanwhile, major software vendors, including Microsoft, have improved their security practices, which puts niche and in-house-developed software and Web applications squarely in the bad guys' sights."
Quite a nice paper