CSA and Use Cases

art of defence’s Alex Meisel and Georg Hess contributed to the recent Cloud Security Alliance paper—Security Guidance for Critical Areas of Focus in Cloud Computing v2.  The CTO and CEO are excited to have helped write the application security domain (no. 13).

Application Security (Domain no. 13) Premise:

Cloud environments — by virtue of their flexibility, openness, and often public availability — challenge many fundamental assumptions about application security.  Some of these assumptions are well understood; however many are not. This section is intended to document how Cloud Computing influences security over the lifetime of an application — from design to operations to ultimate decommissioning. This guidance is for all stakeholders — including application designers, security professionals, operations personnel, and technical management — on how to best mitigate risk and manage assurance within Cloud Computing applications.

At RSA, the company will be extending these thoughts, along with the dWAF (distributed web application firewall) concept, as use cases.  These use cases will include practical applications that companies deploy for SaaS, PaaS and IaaS.  Stay tuned for more details and a download link!

Follow this discussion on twitter @hyperguard

Weekly Industry Round-up, Week of 2/1

Information Security Magazine…
Attackers Zero in on Web Application Vulnerabilities
Robert Westervelt discusses how Web application vulnerability flaws are happening on websites all over the Internet at an alarming rate and account for more than 80 percent of the vulnerabilities discovered, according to the SANS Institute. In many cases, attackers exploit a Web application vulnerability to set up an attack that targets coding errors in client-side applications. While we may never get to the point of having zero vulnerabilities, companies can improve security by taking steps such as using a dWAF.

Computerworld…
Old Security Flaws Still a Major Cause of Breaches, Says Report
In this article, Jai Vijayan says recent reports show an overemphasis on tackling new and emerging security threats may be causing companies to overlook older, but more frequently exploited vulnerabilities. In 2009, the top three ways hackers gained initial access to corporate networks were via remote access applications, trusted internal network connections, and SQL injection attacks. Companies may have to reevaluate their security programs to make sure they are aware of both new and old vulnerabilities. The study suggests companies maintain an up-to-date list of assets, decommission older legacy systems as much as possible, and monitor third-party relationships. This is particularly true when applications are forced from the network to the cloud, which is why flexible security solutions are a must.

Web Host Industry Review…
70% of Firms Using Cloud Services Plan to Move More Apps to the Cloud
David Hamilton discusses a recent study showing seven out of ten companies currently using cloud-based services plan to move additional applications to the cloud, and most within the next year. Certain industries are adopting cloud technologies faster than others. The top three industries adopting cloud computing solutions are technology (with 53 percent), financial services (40 percent), and legal (37 percent). For those already using cloud computing solutions, email and CRM proved to be the most valuable. These organizations need to ensure that they secure all of the applications they add to the cloud.

Jeremiah Grossman…
Be Ready – With Answers
Since most security vulnerabilities are located in Web applications, application security professionals will need to be ready to answer their company’s questions. Jeremiah suggests making yourself visible by branding yourself and your team as the internal experts for “application security.” Share interesting links, summarize interesting white papers, and offer to coordinate workshops for management and development teams to keep them informed. Have answers ready by building your internal step-by-step plan for an application security program. Engage with the community by getting involved in a group such as OWASP to meet people, ask questions, and offer your input.

External Hacks are More Serious than You Think

If you really look at security breaches you will notice that the vast majority are caused from the outside—not the inside.  Security experts and industry personnel have led us to believe that disgruntled employees, misplaced documents, flash drives and devices and sheer management policies are more prevalent than hackers.  Well guess again.  We spoke to art of defence’s Sebastian Haase on this and he shared with us that this is not necessarily the case.  Yes—internal breaches do occur and they are serious, but so are external hacks, particularly those to the web application layer.  If you look at Jeremiah Grossman’s presentation, Web Vulnerabilities Revealed: What everyone knew, but afraid to believe, you will read startling web vulnerabilities statistics based on the OWASP Top Ten and realize that these weakness are clear openings for hackers.

According to Jeremiah’s presentation, 9 out of 10 websites have serious vulnerabilities and sites with urgent, critical or high severity issues will not pass PCI compliance—a major concern for financial services, retail and e-commerce.  Another consideration to think about is the amount of time it takes to fix vulnerability—67 days!  This known weakness heightens the situation for companies and increases the chance of a severe breach.  It is important to shield applications from web vulnerabilities with a distributed web application firewall (dWAF) and protect against widespread external hacks.

Follow this conversation on twitter @hyperguard

Weekly Industry Round-up: Week of 1/25

Rational Survivability…
Cloud: Security Doesn’t Matter (Or, In Cloud, Nobody Can Hear You Scream)
In this post, Chris Hoff says that it doesn’t matter how “secure” Cloud providers suggest they are because in the long run it’s about how compliant they are.  That’s what will determine the success of Cloud.  Chris suggests that the core issue to tackle in Cloud is trust. Trust is comprised of Security, Control, Service Levels and Compliance.   He says it is relatively easy to establish where we are today with the first three, but we will have to work harder to manage compliance.

Gartner Blog…
Another Lesson from the IE Zero Day Attacks on Google: The Power of Whitelisting
Neil McDonald discusses lessons learned from the recent breaches of Google’s infrastructure as the result of attacks on unknown vulnerabilities in Internet Explorer where no patch was available. He focuses on application control/whitelisting and believes that whitelisting at the endpoints would have stopped these attacks. If Internet Explorer had an unknown vulnerability, was subject to a zero-day attack and malicious code was dropped on the machine, the code wouldn’t be allowed to execute because it wasn’t on the approved list. Application control solutions provide straightforward and powerful protection. If a code isn’t supposed to be running on a system, don’t let it run.

Securosis…
Low Hanging Fruit: Security Management
In this post, Mike Rothman discusses the discipline of security management. He stresses the importance of having a security program in place. When thinking about starting a program, make sure to define success, communication and accountability. He also suggests reviewing your incident response plan and to monitor everything so that you can react faster. Especially monitor logging, change detection and network behavioral analysis. By identifying your priorities and having a strong security, it will be easier to determine what you need to be working on.

Need to Break a Password? Try 123456.

A few weeks ago we posted about how RockYou, a provider of third-party apps for Facebook, MySpace and other social-networking sites has had major problems with SQL injections in web application security.  After experiencing a data breach that exposed 32 million users’ e-mails and passwords, RockYou has now analyzed the passwords that were hacked. The result? The most common password on the site was 123456.

The research also showed that 290,731 individuals used 123456 as their password. 12345 was the second most common password, used by 79,078 individuals and the third most popular password, was 123456789 used by more than 76,790 people. 30 percent of users selected a password that was six characters or less and nearly half selected names, slang words, dictionary words or consecutive digits for their password.

The breach occurred because the user’s information had been stored in plain text and was vulnerable through a SQL security hole. While using a dWAF could have prevented this hack, users should have also been using more secure passwords.

As RockYou continues to review its security procedures and implement new practices, they will need to enforce a strong password policy since most users are choosing weak passwords on their own.

To read more about RockYou’s analysis of user’s passwords, check out this SC Magazine article.

Follow this discussion on Twitter @hyperguard

WAF in the Cloud

Fellow OWASP member, Ofer Shezaf, recently presented at a chapter meeting, and gave an overview of how WAFs interact with cloud computing—both using the cloud and protecting cloud based applications.  During his presentation he discussed the following scenarios:

• Enterprise Security Gateway
• WAF as a service: For protecting a data center or SaaS
• WAF for a cloud deployment: Host Based or Infrastructure Based
• WAF stubs

Mentioned in his presentation and also in an earlier post, Ofer notes that the two challenges facing WAFs in the cloud are bandwidth and complexity, however, art of defence has tacked these problems with hyperguard and meets XIOMs definition of a true WAF.

Ofer mentions hyperguard SaaS for AWS within his presentation, and notes that many well-known WAFs are actually lacking simply at signatures and hardly true WAFs.  What is considered a true WAF for the cloud?

Xiom is a great source of information for WAFs and resource to our readers, check out Ofer’s blog at http://www.xiom.com/ and view his entire presentation under our ‘Resources’ tab

Follow this discussion on Twitter @hyperguard

Weekly Industry Round-up: Week of 1/18

The Forrester Blog for Security & Risk Professionals…
Why Google and Microsoft, Not Cloud Computing, Were at Fault for the Google Hack
In this post, Chenxi Wang discusses last week’s attack on Google, Yahoo, and more than 30 other companies and explores why this is not an attack on cloud computing.  It’s known that a Microsoft browser vulnerability was exploited, some employee desktops were compromised and the attacker used these desktops via Google’s VPN to get to some of the servers. Google then issued an emergency refresh of the entire corporate VPN infrastructure. Chenxi says that exploiting browser vulnerabilities is a familiar attack method, one that has nothing to do with cloud computing. Compromising desktops and using VPN to further compromise servers is also nothing new. She says that what is at the root of the problem here is a vulnerability from everybody’s “favorite” software company, not the fact that the target of the attack is a major cloud computing company.  Despite this, Google is at fault for not managing its risks adequately.

Information Week…
Why You Need a SaaS Strategy
Michael Biddick, President and CTO of the consulting and IT services firm, Fusion PPT, says that few companies have noticed just how powerful and grounded a force software as a service has become. The impact that SaaS will have on IT organizations is profound and business technology leaders will need to make sure their companies are ready for it. He offers 9 keys to SaaS strategy:  select the right provider, sign the right contract, have a detailed exit strategy, manage the relationship, create a contingency plan, dig deep on interoperability and integration, agree on IT’s role in supporting the product, get senior executive support and involvement and align to the company objective.

CSO Online…
The Great PCI Security Debate of 2010: Part 2
Check out this debate with CSO’s Senior Editor Bill Brenner and Martin McKeay of the Network Security Podcast. They share their thoughts on whether PCI security is an industry savior or failure. If you haven’t heard part one yet, you can listen here.

Tactical Web Application Security…
2010 Web Application Security Predictions
Ryan Barnett looks at a few types of incidents that will likely happen over the next year. His predictions include: Web-based worms will migrate off social networking sites, planting of malware will become a top concern, attacks against Web-based critical infrastructure components and HTTP Denial of Service Attacks will take down important sites.

Weekly Industry Round-up: Week of 1/11

Information Week…
Private Clouds Are A Fix, Not The Future
In this article, Cloud Connect’s Alistair Croll argues that internal enterprise clouds are temporary and will be followed by a migration to public cloud infrastructure. His predicts that for the next three or four years, enterprises will deploy private and hybrid clouds and public cloud infrastructure will be reserved for startups, experimentation and testing. He says that within a few years, the true cloud operators will have an unavoidable cost advantage and they will be closer to consumers  Computing legislation will catch up and in three to five years, there will be a second big enterprise IT migration from private to public infrastructures.

SearchSecurity.com…
Social Networks Face User Content Risks, Web Application Vulnerabilities
Rob Westervelt discusses how third-party applications on social networks could be the next means of attack for cybercriminals. If left unmonitored, security experts fear the applications that users have come to trust could be used to trick them into giving up account credentials or deliver spam and malware. In 2009, Link-sharing and discussion portal MetaFilter was on a long list of user-driven platforms and websites victimized by SQL injection attacks. OWASP is now taking a closer look at ways to scan and recognize potentially malicious coding posted by users on Web forums, user profile pages and other webpages where users freely post content.

IT Business Edge…
Fully Clouded By 2010?
A few weeks ago, Arther Cole blogged about his prediction that virtualization and cloud computing would bring an end to IT infrastructure at small and mid-sized organizations, who would outsource these resources to regional dedicated data centers.  While he still expects this to happen, he finds a recent report issued by Gartner to be interesting. It says that more than 20 percent of enterprises will have no IT infrastructure at all as early as 2012. If the change does happen that fast, IT departments should be prepared for a wild road ahead.

Jeremiah Grossman…
Top Ten Web Hacking Techniques of 2009 (Official)
Jeremiah Grossman lists the Top Ten Web Hacking Techniques of 2009. Every year the Web security community produces dozens of new hacking techniques documented in white papers, blog posts, magazine articles, mailing list emails and so on. The top 3 listed were: Creating a rogue CA certificate, HTTP Parameter Pollution (HPP) and Flickr’s API Signature Forgery Vulnerability (MD5 extension attack). Check out the post to see what else the judges included.

Some Rocky Times for RockYou

SQL injections are one of the biggest problems in web application security—we’ve seen it with Heartland, 7-Eleven and Hannaford Brothers, and now RockYou.  These attacks are widely known and publicized; however, it still takes companies, who have experienced attacks, 67 days to resolve these issues!

Early December, RockYou, provider of third-party apps for Facebook, MySpace and other social-networking, suffered a data breach that exposed nearly 32 million RockYou users’ e-mails and passwords.  This information had been stored in plain text and was vulnerable through a SQL security hole.  Now, Alan Claridge, an affected user, filed for a proposed class action lawsuit on December 28 for failing to properly secure his data, allowing hacker ‘igigi’ to gain access to it and failing to promptly notify him about it.

Although, we are not certain of the exact technology being used by RockYou, but if a dWAF was being used it could have prevented this hack and saved the company from this disaster.  More importantly, RockYou could have protected its’ customers’ PII (personal identifiable information).  Because a dWAF is flexible it allows patches to be applied with minimal disruption to the network—quite helpful for situations like these.

Moving forward RockYou will be further investigating the breach, reviewing its security protocols and implementing new practices:

• Encrypting all passwords
• Upgrading the legacy platform with the same infrastructure and industry standard security protocols we employ on our partner applications platforms
• Reviewing our current data security features and ensuring that they meet industry standards and best practices

To read more background on the RockYou breach check out SC Magazine’s article.

Follow this discussion on Twitter @hyperguard

Weekly Industry Round-up: Week of 1/4

Cloud Switch…
5 Things to Do Before Moving to the Cloud
In this post, Ellen Rubin offers 5 steps that can help guide the thought process when considering a cloud deployment.  She recommends that before moving an enterprise application to the cloud, you need to be sure that your expectations are realistic and your objectives match what the cloud can deliver. Here are the 5 things she suggests doing before moving to the cloud: determine your cloud objectives, pick an application that makes sense, involve the CSO/risk management team from the beginning, decide which cloud(s) are acceptable and create a sandbox where people can experiment.  This article ties back to our series on Top Security Perils When Moving an Application to the Cloud— when you do move to the cloud, make sure you protect your applications with a dWAF.

Help Net Security…
Top 10 Application Security Trends
This article discusses The Denim Group’s list of the top application security trends for 2010. Some trends they list include Web mashup applications will result in new attack vectors, new data breaches will force organizations to focus on internal applications as well as external, organizations will finally start asking, “How are we going to fix these vulnerabilities?” They also predict organizations will move beyond scan-only approaches to application security, the application security market will continue consolidating, organizations deploying web application firewalls will increasingly use them for virtual patching and application security metrics will provide a foundation for decision-making.

Enterprise Systems…
Q&A: Understanding Private vs. Public Clouds
In this article, Linda Briggs, speaks with Kenneth Ziegler, president and COO of a managed services firm that offers private cloud computing. He explains the differences between public and private cloud computing and what each is best suited for.  Kenneth describes the public cloud as typically being used for processing power or shared storage delivered to a client on a “pay-by-the-sip” basis (often dollars per CPU hour or dollars per GB of storage).  While hosted private clouds include “shared-nothing” architectures, which are custom designed for enterprise clients who have specific performance, compliance, and scalability requirements. It is delivered in “pay-by-the-glass” increments, requiring a minimum high-availability configuration, with clients adding their own virtual machines as they grow, all fully managed by the service provider. Check out the rest of the article for Kenneth’s list of advantages to cloud computing as well as what users should be aware of.