I think we all can agree that 100% security is impossible, even when adding layer upon layer of defenses, systems will fail eventually. Furthermore too much emphasis on obtaining “perfect” security will result in diminishing returns. When you get right down to it though what we’re really trying to do is keep the bad guys from compromising our websites and that doesn’t necessarily require 100% security. The challenge is finding the right balance between resources put in (time / money) and adequately reducing (not eliminating) the likelihood of getting hacked. Still often people mistakenly try to accomplish one by doing the other.
From my experience in website security there are two predominant types of “bad guys,” troublemakers and the financially motivated. Troublemakers I’ve found are the most difficult to defend against. They’ll often spend an extraordinary amount of effort (day, weeks, months, and sometimes years) to pull off a defacement, achieve administrative level access, cheat at a game, alert(‘xss’), disrupt user experience, and so on. To successfully defend against a troublemaker you must have perfect security all the time (impossible) while they just have to exploit one issue. Fortunately the result of their antics are unlikely to result in substantive reputation or financial loss and mostly will just annoy you and waste time.
Interestingly the financially motivated, the ones we really have to worry about, are easier to deal with since they conform to an ROI model. Financially motivated bad guys follow the path of least resistance by targeting the softer and more potentially lucrative websites. They’re after credit card numbers, social security numbers, passwords, and other forms of useful sensitive information. Whatever will help them pull off a fraudulent transaction. They might spend as much as a couple of days in sweeping attacks or a few weeks on targeted attacks if the reward looks promising, but probably no more as other websites would prove easier. So if your website is too hard to hack, the bad guys will move on, probably to your competitors/peers.
There’s a funny joke that lends context:
Two guys are hiking and suddenly a bear starts chasing them...
The first guy says, "Are you crazy!? We can’t outrun a bear!”
The second guy says, "I don't have to outrun the bear... I only have to outrun you!"
(In Hawaii we have a similar variant with surfers and sharks.)
The challenge in website security is knowing exactly how fast the bear and other guy are, plus they tend to get faster over time. WhiteHat Security plans to release some statistics around this area soon. Apart from that a good rule of thumb is if XSS, SQLi and few other attack classes can be found in your website within a few minutes/hours, then its probably one of masses playing Russian Roulette.