With over 6 years of experience in penetration tests of all sorts of systems from networks to web applications to databases to many others more, I can say that i have successfully achieve my goals as "hacker" or a white hat. As usual, i am constantly keeping myself abreast of the lastest exploits and hacking methodology. I am not really a true researcher, but however a guy who loves to read all sorts hacking books or articles.
Well, with the recent work i am doing on web applications, i can say that most web applications are truly not secure and hackable, except for a few out there. It all boils down to the developers and the customers. Those customers have no idea of how secure programming is so important. Once they are hacked, their reputation is gone and data is lost. From what i see, customers are always eager to launch their application online maybe because of certain time frame they have to meet or maybe because they are eager to let the consumers know more about their services and products, but they did not think about security on their applications as a whole. Well, i would advise them to think twice and think about the possibility of being hacked hard time. Below are a few guidelines that i got from Jeremiah's whitepaper that after reading it, i feel that it is important to embrace it, rather than treating it just like another whitepaper.
Secure Code: Application developers must consider security
from the beginning. Involve the security staff early in the
QA Development: Experienced staff must perform periodic
security as well as usability reviews.
Stay up-to-date on patches and configured securely.
Continuous assessments: Covering both technical and logical
issues on the production web site as its being changed.
Also, for those who are paranoid about your web applications and have no budgets to spent, you guys should install an Web Application Firewall like ModSecurity to shield off most of the attacks and moreover, it is customizable where you can add your own ruleset. There are also a few open source WAF like PHP-IDS for XSS, URLSCAN for IIS and some others. Commercial ones are available too. It all depends on how much you can spend and what do you really need.
The Hacka Man