Hyperguarding your Web Applications

Weekly Industry Round-up, Week of 7/19

Posted by hyperguard on July 23, 2010

Channel Web…
Surveys Reveal Cloud Computing Security Concerns
This article looks at some recent surveys that address IT professional’s concerns with cloud security. The Information Systems Audit and Control Association (ISACA) reported that almost half of the IT professionals surveyed in the U.S. say the associated benefits of cloud computing are not worth the potential security risks. The majority of companies hosting IT services in the cloud, according to a survey conducted by Symantec and the Ponemon Institute, have no cloud-specific security policies and procedures in place. A third survey sponsored by the Ponemon Institute and CA found that while more than half of U.S. organizations are adopting cloud computing services, only 47 percent of the IT professionals surveyed believe that those services are properly secured.

CIO Update…
Cloud Computing – Evaluating Security-as-a-Service
Over the past few years, more and more businesses have turned to software as a service (SaaS) to reduce costs. Because of this, more traditional software security vendors are developing and enhancing their service based offerings, including those in the “security as a service category.” These offerings typically include protection against Web and email threats, monitoring of inbound and outbound network traffic, and assessing an externally facing website for potential vulnerabilities. In this article, Matt Sarrel takes a look at some of the pros and cons of using security as a service offerings.

Network World…
Firefox Lets Hackers Grab Your Passwords
At the upcoming Black Hat security conference, Jeremiah Grossman of WhiteHat Security, will present a demo showcasing how Javascript can be used to collect passwords from Firefox and how to grab other personal data from IE 6 and IE 7. His demo will involve getting passwords out of Firefox’s Password Manager using Cross-Site Scripting (XSS)—the execution simply requires tricking Firefox users into visiting a site hosting the XSS malware.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 7/12

Posted by hyperguard on July 16, 2010

Network World…
Top Cloud Computing Security Risk: One Company Gets Burned
Kevin Fogarty says that virtualization and cloud computing have not worn down the online security of most companies. However, they may be contributing to situations in which IT-service customers leave themselves vulnerable to attack because they assume their cloud provider is taking care of security. Since placement of responsibility for security in cloud computing arrangements is not clear, Gartner listed access to information about how a cloud service works and a service level agreement spelling out customer expectations and requirements in a report released this week.  Research from the Cloud Security Alliance listed customer ignorance of security practices and service providers’ refusal to give information to relieve it—among the seven top security risks in cloud computing. According to the CSA’s research, cloud projects and the risks they involve may be “complicated by the fact that cloud deployments are driven by anticipated benefits, [and] by groups who may lose track of the security ramifications.”

ChannelWeb…
10 Web Application Security Myths
This slideshow looks at 10 common myths about Web application security. The list includes:

  • A Web page is safe if it’s at the top of Google search
  • Users can’t get around company Web policies
  • Users can only become infected if they download files
  • A Web app is secure if it has that lock icon in the corner.

Check out the article for a complete list of some of the biggest lingering misconceptions about Web application security.

Computerworld…
The Challenges of Cloud Security
In this article, Beth Schultz says some IT execs dismiss public cloud services as being too insecure to trust with critical or sensitive application workloads and data. However, she spoke with Doug Menefee, CIO of Schumacher Group, an emergency management firm. Doug says that although there are risks with anything you do, 85% of Schumacher Group’s business processes currently live inside the public cloud. Enterprises have much to think about when they consider using public cloud services, but Doug says they’ve got to take a risk-based approach, such as Schumacher Group, with a strong focus on the data and what controls are needed.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 7/5

Posted by hyperguard on July 9, 2010

Data Center Journal…
Security and Legal Concerns Hamper Cloud
Jeffrey Clark says the cloud offers a number of benefits, both from the perspective of increased business value and from the perspective of reduced environmental impact resulting from the use of IT resources. However, despite its numerous benefits, the cloud continues to be weighed down by concerns revolving around security and various associated legal matters. With the Federal Government looking at the cloud as one means to reduce its data center footprint, the potential market for cloud-based services could explode. Cloud-service providers should consider the concerns of potential customers, especially in terms of security. Many providers believe that this information about data centers and procedures should be kept secret, but many customers (such as the Federal Government) want to be made aware of that information before signing on with a provider.

ReadWrite Enterprise…
41% of IT Pros Surveyed Admit to Abusing Admin Privileges
According to this article, of the over 400 IT professionals who responded to Cyber-Ark Software’s fourth annual “Trust, Security and Passwords” survey, 41% admitted to abusing administrative passwords to access sensitive or confidential information, such as HR records and customer databases—an 8% increase since last year’s survey. As a report by the Cloud Security Alliance points out, storing data in the cloud increases the total number of individuals with potential access to sensitive data, and thereby increases the risk of data theft by a malicious insider. But many of the same practices used to protect against internal data theft can be applied in the cloud as well. Some ways to deal with these issues? Trend Micro says companies should specify human resource requirements as part of legal contracts, determine security breach notification processes and require transparency into overall information security and management practices.

SC Magazine…
GAO: Federal Agencies Lack Advisement on Cloud Security
Dan Kaplan says that according to a new report from the U.S. Government Accountability Office (GAO), a growing number of federal agencies are running some form of cloud computing, but nearly all lack policies around securing data hosted offsite. The report, written by Gregory Wilshusen, director of information security issues at GAO, found that 22 of the 24 major federal agencies are either “concerned” or “very concerned” about the security risks associated with cloud computing. Despite that, half of the agencies have moved forward on cloud computing projects, mostly for the technology’s low-cost disaster recovery, data storage and self-service benefits.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 6/28

Posted by hyperguard on July 2, 2010

SC Magazine…
Universityof Maine Student Data Exposed
Hackers have compromised two University of Maine servers that were hosting personal and clinical information of more than 4,500 students who received counseling services in the last eight years. The first server was breached at the beginning of March, and the intruders used the newly gained information to compromise the second one. Methods employed to carry out the attacks successfully have not been disclosed and it is unclear whether the data was viewed or downloaded.

IT World…
15 Must-Listen Podcasts for Security Pros
Security researcher at SecureState, Matt Neely, shares with us how he stays informs and on top of trends in this ever-changing security world. The two primary tools he uses are security podcasts and Twitter. Check out his post for background on the security podcasts he listens. Stay tuned, in a future post he’ll be discussing how he uses Twitter to keep in touch with the security community and stay on top of emerging trends.

The Register…
The cloud’s impact on security?
Tony Lock of UK analyst house, Freeform Dynamics describes his recent research that looks at security and how fast cloud computing models are being adopted. Research shows that mass adoption of the hosted service cloud model is a long way off, and that the internal, dynamic IT model may come sooner than we think; Tony says we have virtualization to thank for that. Read Tony’s article for the potential security challenges and how to tackle them.

Posted in Highlights | Leave a Comment »

Free dWAF Evaluation for Breach Security Customers and Partners

Posted by hyperguard on June 25, 2010

Following the recent Trustwave and Breach Security acquisition, we will be providing Breach customers with a free evaluation of our distributed Web application firewall (dWAF) solution, hyperguard.   Interested parties can trial the dWAF as a SaaS through Amazon Web Services (AWS) or download a software plug-in directly from our website.  We are offering this for those who seek a future-proof solution to satisfy their immediate WAF needs.  The solution is capable of supporting all future virtualization or cloud-based plans.  hyperguard provides:

  • Application security monitoring for customers to understand the risk and exposure of their web and cloud applications to known attacks at the application layer without hyperguard interfering with web traffic.
  • ‘Detection only mode’ allows rule-sets to be tested but not enforced, alongside with rule-sets in ‘protection mode’ that enforce already proven security policies without ever relaxing the established defenses or risking false positives.
  • hyperguard SaaS is also ideal for companies relying, or thinking about using, cloud services e.g. for application overflow resources.

AWS customers can access hyperguard SaaS by simply adding a small software plug-in to an existing web server Amazon Machine Image (AMI), or by using art of defence’s custom AMI.

Posted in Post | Leave a Comment »

Weekly Industry Round-up, Week of 6/21

Posted by hyperguard on June 25, 2010

CTO Edge…
Security and Compliance in the Cloud Age
This article by Alert Logic’s Misha Govshteyn says that while the debate over private vs. public clouds carries on, there is very little attention paid to the fact that the accepted broader definition of the cloud—IT services delivered under the IaaS/PaaS/SaaS models—in effect brings about a gradual shift of the control over security from the enterprise to the service provider. He says this shift in responsibility and control will fundamentally change the way we secure our data. Enterprises and security professionals need to prepare themselves for the future demands of cloud computing by making the right decisions and deploying cloud-ready technologies today.

SeverWatch…
Cloud Computing With Less Security Risk
Paul Rubens says companies often feel their data is too sensitive to move to the cloud and that they will lose control over it and it will therefore be less secure. He offers some benefits to cloud computing, such as lower capital outlays, fixed, known monthly costs, scalability, low management overhead and immediate access to technology. Paul isn’t saying that all organizations should move all their computing tasks to the cloud, but many organizations could profit from the benefits described above if the security risk, real or perceived, could be reduced. Paul lists a number of questions to ask providers regarding security and compliance before deciding to move any applications to the cloud.

SC Magazine…
Researcher Demonstrates Twitter XSS vulnerability
This week a Twitter user demonstrated a cross-site scripting (XSS) that could allow an attacker to take over users’ accounts or spread malware. A researcher found that the vulnerability affects the “application name” field on Twitter’s application registration page, used by developers when setting up a new Twitter application. The flaw appears to be the result of a lack of input validation of the “application name field” when accepting new requests for Twitter applications. The company is aware of the issue and has fixed it for new applications, but is still working to patch it in all programs.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 6/14

Posted by hyperguard on June 18, 2010

eSecurityPlanet…
Can Federal Data Privacy Live on in the Cloud?
For government, privacy and data security are a priority, and now many government IT agencies are planning to move their computing operations to the cloud. According to this article by Kenneth Corbin, the transition to the cloud is already well underway in federal IT circles and with it. John Kropf, the deputy chief privacy officer at the Department of Homeland Security, is developing policies and safeguards to keep sensitive data secure as the traditional silos of federal IT infrastructure are torn down. However, classified national security information is not on the table when government officials talk about the cloud. And many agencies have a mixture of sensitive information that may find a home on a secured private cloud, as well as troves of data that can—and should, according to the White House—be made publicly available on the Web.

Jeremiah Grossman…
Anti-WAF-Software-Security-Only-Zealotry
Jeremiah Grossman recently asked his Twitter followers why some people feel oddly compelled to rely upon the shortcomings of Web Application Firewalls (WAFs) as a means to advocate for a Secure Development Lifecycle (SDL). He believes this is odd because the long-term, risk-reducing value provided by secure code is enough on its own to warrant the investment, and says if you can’t demonstrate that, blame directed at WAFs seems misplaced. Most importantly, we must remember that our objective is to protect websites from being hacked. He suggests organizations should focus on the many cost-saving, risk-reducing, top-line-benefiting qualities that come with implementing a well-regulated software security program. He also says that at the end of the day, our common enemy is really the lack of application security visibility and the allocation of necessary resources. If we come together and help address this as an industry, we’ll all be better off, and the pressure of this either or choice will be lessened.

CSO…
Cloud Security: The Basics
With cloud computing being one of the most-discussed topics among IT professionals today, this article by Mary Brandel lays out the essential concepts of cloud security. It looks at cloud models including software as a service (SaaS), infrastructure as a service (IaaS) and platform as a service (PaaS). Mary also provides examples of how four companies chose to handle some of the biggest concerns that users have, such as single sign-on, data encryption, virtualization and business continuity.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 6/7

Posted by hyperguard on June 11, 2010

CIO…
Cloud Computing: Would PCI Compliance Help or Hurt Security?
This article discusses whether cloud computing environments can meet PCI compliance standards. Many security experts say they can’t answer that question yet, but the bigger question is whether meeting PCI standards would actually improve cloud security. There has been talk that cloud security would be included in the most recent update of the Payment Card Industry’s Data Security Standards (PCI DSS), which sparked debates on whether requirements designed to protect credit-card data would actually make cloud services less secure. While IT practitioners question PCI’s role in the cloud, few doubt the need for cloud security standards—a  March study by IEEE and the Cloud Security Alliance found 82% of IT professionals believe the need for cloud-specific security standards is urgent.

Computerworld…
Who Still Keeps Money Under their Mattress? The Case for Cloud Security
This post by Ryan Nichols says massive amounts of data are lost every day through the failure of on-premise technology—companies know how often e-mails or files on your local or shared drives are lost or corrupted or how easy it is in many  companies to plug into their network without credentials.  These incidents usually go unnoticed, but when public cloud technology fails, it makes headlines. Cloud providers spend millions of dollars on security and reliability testing every year, and their businesses depend on delivering a service that exceeds the expectations of the most demanding enterprises—this is why Ryan argues that data is probably safer in a leading cloud platform than it is in most on-premise data centers. Right now, many companies would probably disagree and say they feel safer having data in their own data center. It will be interesting to see how this debate plays out as more organizations start to adopt cloud technology.

ZDNet…
Microsoft Finally Fixes Pwn2Own Browser Flaw
This week, Microsoft’s Patch Tuesday delivered 10 security bulletins with fixes for at least 34 documented vulnerabilities. This “patch batch” also provides cover for a known cross-site scripting flaw in the Microsoft SharePoint Server and a publicly discussed data leakage hole in Internet Explorer. Microsoft has urged its users to pay special attention to MS10-033 (Windows), MS10-034 (ActiveX killbits) and MS10-035 (Internet Explorer) because these contain fixes for issues that may be exploited by malicious hackers very soon.

Posted in Highlights | Leave a Comment »

Google’s SaaS Contract with Los Angeles

Posted by hyperguard on June 10, 2010

Los Angeles recently selected Google Apps to provide the city with cloud services, which over 30,000 of its employees will use. After hearing this news, we came across a blog post that looks at Los Angeles’s contracts with Google and CSC, the company implementing Google’s SaaS for the city, and its provisions. With the terms of the contract publicly available, will this set a standard for the security industry?

Los Angeles has separate contracts with Google and CSC, and based on reports, the deal includes the following terms: unlimited damages for a data breach, provisions allowing audits, guarantees that data remain in the contiguous 48 states, penalties if Google’s services are unavailable for any longer than 5 minutes a month, unlimited damages if its nondisclosure agreement is breached, Google is required to encrypt the city’s data and break it into pieces  when it is at rest so that no one can get their hands on a full file and bars Google from viewing any data without permission from the city.

The contract also requires CSC to establish a security program to ensure the confidentiality of protected information, including protection against anticipated threats, unauthorized access and use, and the proper disposal of protected data. The Google contract also contains security obligations, such as “all facilities used to store and process customer data will had adhere to reasonable security standards no less protective than the security standards at facilities where Google stores and processes its own information of a similar type.”

As cloud computing becomes more favorable among companies, and cities as it turns out, security is one of the most important factors to consider when moving applications to the cloud. Could these contracts become a template for the industry—helping to protect companies and clearly outline what vendors are responsible for?

Posted in Post | Leave a Comment »

Weekly Industry Round-up, Week of 5/31

Posted by hyperguard on June 4, 2010

ChannelWeb…
Facebook Clickjacking Worm Infects Thousands
Last week we mentioned how clickjacking attacks use malicious iFrames inserted into a Web page to hijack a user’s Web session. Then, over the weekend, a Facebook clickjacking worm affected thousands of users, spreading malware and unwanted code onto users’ computers when they clicked a link that indicates they “like” the maliciously created Web page. Users have been encouraged to view recent activity on their Facebook news feed and delete entries related to the malicious links. They should also click on their Info tab on their personal profile and remove any of the links connecting to Web pages via their “likes and interests” section.

Enterprise Networking Planet…
Web Application Security: Are You Doing Enough?
This article by Paul Rubens discusses last month’s “State of Application Security ” survey carried out by the Ponemon Institute. Many organizations are leaving their data vulnerable to theft because they spend too much of their security budgets protecting their networks and too little securing their Web applications. Securing both network and Web applications should be key priorities so what this comes down to is a problem of resource allocation: if you spend too much of your security budget on your network, hackers will steal data via your Web applications, but if you spend too much on your Web applications, there won’t be enough of your budget left to prevent them stealing data by breaking in to your network. If companies decide to allocate more of the security budget to Web application security, Paul suggests performing regular scanning for known vulnerabilities and coding errors using a specialized Web vulnerability scanner, or even full scale penetration testing.

The Virtualization Practice…
Defining Tenants for Secure Multi-Tenancy for the Cloud
This post by Edward Haletky discusses that there is more to securing multi-tenancy (SMT) than one would imagine. So how would you define tenant when nearly everyone has their own definition of tenant for a multi-tenant solution? Attorney, David Snead, defined tenant as “whatever definition is used within the contract.” If there is no definition within your contract then assumptions are made, so I tend to fall back to the definition of tenant to be “the legal entity responsible for the data” so you need to read your contracts carefully. Edward believes that once we can define tenant appropriately, the provider needs to offer some level of security far above what any one tenant may desire, but can at some point in time acquire as necessary. After we define tenant satisfactorily, we should start to look at what we need from the provider and what is really left to the tenant to implement in other words: roles and responsibilities.

Posted in Highlights | Leave a Comment »

 
Follow

Get every new post delivered to your Inbox.