Hyperguarding your Web Applications

Archive for November, 2009

Weekly Industry Round-up: Week of 11/23

Posted by hyperguard on November 27, 2009

Firefox flaws account for 44% of all browser bugs
This article by Greg Keizer discusses Firefox being accounted for almost half of all web vulnerabilities in the first six months of 2009. According to California-based Cenzic, Mozilla’s browser had the largest percentage, while Apple’s Safari came in second. Microsoft’s Internet Explorer (IE) was third and Opera Software’s flagship browser took fourth place. Cenzic’s chief technology officer says that “the number of vulnerabilities is only one measurement of a browser’s security. We’re not trying to point a finger at any one browser. I would certainly not abandon Firefox because of this.”

Search Data Center…
The mainframe’s potential for Web services and cloud computing
In this post, Wayne Kernochan discusses how web services allow IT departments to make a legacy mainframe application available to the organization as well as the global customer and partner base. “Cloudization” or virtualization of mainframe applications complements Web services by making the mainframe application much more flexible. IT can shift workloads between platforms. If a cloud does not contain a mainframe, IT can still move mainframe app instances to and within a remote cloud.

Cloud computing less cloudy, but IT pros still skeptical
This post by Carl Brooks says IT pros may still be confused about what cloud computing can and cannot do, but they are sure they want it according to attendees from Interop this past week. Due to a general community agreement on the basic properties of cloud and some heavy marketing, people are still skeptical of cloud computing, but much more knowledgeable about it.

Cloud computing: Which IT projects are right for the cloud?
This article by Cara Garretson looks at which IT functions are perfect for cloud computing and which ones should stay in the data center. It suggests finding a project that supports a business opportunity and could be easily moved into the cloud to save costs and resources. It should also be something that doesn’t involve core competencies, and moving it offsite shouldn’t create a security risk. Essentially, taking on a cloud computing project may require extensive research and preparation, but the payoff can be significant when everything is done correctly.


Posted in Highlights | Leave a Comment »

OWASP Top 10 Release Candidate 2010— OWASP Podcast Interview

Posted by hyperguard on November 25, 2009

On episode 54 of the OWASP podcast, OWASP chapter head for Germany, Georg Hess and CEO and co-founder of art of defence speaks with Matt Tesauro at the OWASP’s AppSecDC show on the top 10 release candidate 2010 and the impacts it will have on the industry.

Listen here for OWASP insight on the release candidate.

Posted in Post | Tagged: , , , | Leave a Comment »

Weekly Industry Round-up: Week of 11/16

Posted by hyperguard on November 20, 2009

CSO Online…
The Cloud Security Survival Guide
This article by Bill Brenner provides a collection of articles, columns and audio to help IT security practitioners and companies that are increasingly dependent on cloud services. Defining Cloud Security: 6 Perspectives, Cloud Computing: Make the Right Choices, and Why Security Pros Have Their Heads in the Cloud are just some of the pieces worth looking into.

Andy IT Guy…
Building a Security Program from the Ground Up
In this post, Andy asks readers to think about what would be the first and second thing that they would implement if they were starting a new position and had full say on building a security program. Andy says if he were in that position, the first thing he would implement is a monitoring system to have some insight into what is going on. Once that was in place he would implement a Vulnerability Management program that starts with Application and OS patching and then focus on the scanning, testing, exploiting etc.  As that is being rolled out he would work on getting a good Security Awareness Training program to help users understand the risks. What would you do?

Dark Reading…
Microsoft Report: Worms Rise, New Vulnerabilities Decline
In this article, Kelly Jackson Higgins discusses Microsoft’s latest report, which states that worms are on the rise as new vulnerabilities decline. Version 7 of Microsoft’s Security Intelligence Report (SIR) found that worms are now the number two threat, behind Trojans. It also found that the total number of reported vulnerabilities in the industry decreased by nearly 30 percent from the second half of ’08, with fewer than 2,500 new vulnerabilities disclosed in the first half of this year versus over 3,000 in the last half of last year.

Tech News World…
Certified Ethical Hacker: Not Your Everyday Job
This post by Ryan Corey discusses how some hackers are in the business of improving security. Certified Ethical Hackers are paid by companies and government agencies to test their computer systems against the sort of attacks “the bad guys” often attempt to pull off. These Certified Ethical Hackers play a serious role in the prevention of malevolent cyberattacks on businesses, government and military. As the potential threat toward any network, server or database is always a possibility; the profession of ethical hacking can grow.

Posted in Highlights | Tagged: , , | Leave a Comment »

‘Tis the Season for Overflow Help (look to the Cloud?)

Posted by hyperguard on November 18, 2009

The holiday season is upon us and the weight has potential to crush under-resourced e-commerce dependent companies. 100,000’s of visitors per day can turn into a mad rush of millions, bringing online sales crashing down. Amazon Web Services (AWS), Google and other cloud providers are preparing to provide overflow capacity for those in need.

The world is not all roses, however, and companies should understand that beyond their secure network perimeter lay security threats (ahem, OWASP’s new Top 10) targeting the application itself. Since it takes a company an average of 67 days to fix a common webapp issue such as Cross-site Scripting, the holiday season could spell trouble for these companies without adequate security measures in place to provide protection such as a ‘virtual patch’ (like a cloud-based WAF), until the real patch can be developed.

Just imagine all the lost revenue in the 67 days it would take to fix the problem at the code level without shoring up the vulnerability in the meantime.

Don’t agree with the 67-day estimate? Javed Ikbal of zSquad illustrated why this is common (even the possibility 67 aren’t enough!) in a painfully humorous way:

Day 1-10: Denial. We don’t have that problem
Day 11-20: Management: Must we do this? Why couldn’t you do it right the first time
Day 21-25: Finger-pointing phase. Who is going to pay for this? Is this funded? Who is the project manager?
Day 26-35: Project plan developed. Resource not allocated
Day 36-45: Pre-meetings and meetings. Project still not funded
Day 46: CTO chews out VP of software engineering
Day 47: Project is funded
Day 48-49: Research
Day 50: Vulnerability fixed
Day 51-55: Regression testing. The fix broke 10 other things.
Day 56-60: Fix the new items
Day 61-65: More regression testing
Day 66: Meeting where VP of engineering tries to take all credit
Day 67: Promoted to Production

Posted in Post | Tagged: , , , | Leave a Comment »

67 Days to Fix a Serious Web Vulnerability?

Posted by hyperguard on November 16, 2009

We recently heard some startling information—WhiteHat reported it takes the industry an average of 67 days to fix Cross-Site Scripting (XSS) issues! They shared this fact during a presentation revealing research on the progress companies are making in Web application security.

According to Jeremiah Grossman, WhiteHat found that 83% of websites have had at least one serious vulnerability. 64% of websites currently have at least one serious vulnerability, the most prevalent being XSS. Although awareness of XSS is building and they know how to fix it, Jeremiah says it still takes time to fix the issue. If an organization has a vulnerability for 67 days, it can create a downturn for the website or a loss in revenue. Why is it difficult for some companies to resolve vulnerabilities quickly? This can happen for a number of reasons including the coding is old and no one currently at the organization can maintain it, the code was outsourced or the error does not cause a compliance violation and it gets overlooked.

The presentation went on to say that only 30 to 60% of vulnerabilities ever get fixed. Although there is awareness for web application problems, there is not enough being done about them.  Imagine how an ecommerce site would suffer during the holiday season if it had a web vulnerability for 67 days!  This is a common issue and one the cloud computing industry is particularly susceptible to. One of the major uses for cloud services right now is overflow services during holidays and other abnormally high web traffic periods. This is the reason we have created made hyperguard SaaS for Amazon Web Services available – to allow companies to extend protection into the cloud.

Posted in Post | Tagged: , | 1 Comment »

Weekly Industry Round-up: Week of November 9th

Posted by hyperguard on November 13, 2009

Around the Blogosphere…
This week we’ve been on the ground at the OWASP AppSecDC Conference, where the Top 10 Most Critical Web Application Security Risks have been made available as a release candidate.  The new top 10 is about risks, not just vulnerabilities.  Our friend, Jeremiah Grossman shared the OWASP document and posted comments live from the show.  It will be interesting to see how these new risks will impact the industry—such as PCI compliance and the Cloud Security Alliance.  Check out #OWASP for real time commentary.

Dark Reading…
New Security Certification On The Horizon For Cloud Services
Writer, Kelly Jackson Higgins speaks with Jim Reavis, co-founder and executive director of the Cloud Security Alliance about the need for security certification for cloud security service providers.  Some are currently using SAS 70 and ISO 27001, but experts say neither is sufficient for providing potential cloud customers with assurances that the provider has deployed proper security or that their data is sufficiently locked down.  According to Reavis we should expect the industry to move forward with this certificate around the first quarter of 2010.

Web Application Vulnerability Assessment Shows Patching Progress
In this article, Robert Westervelt discusses how companies are making progress in Web application security. According to the latest research by WhiteHat Inc., they found a 61% vulnerability resolution rate, which is a slight increase. There is still much work that needs to be done since 64% of websites contain at least one serious vulnerability. WhiteHat is now focusing on figuring out what works for companies that are resolving the most serious vulnerabilities quickly.

Dark Reading…
Cost, Strength Of Security Drive Users Toward SaaS Offerings
Using an excerpt from Dark Reading’s report, Security Software as a Service: Navigating The New MSSP Landscape”, Charlotte Dunlap investigates the pros and cons of security SaaS and provides tips on choosing the right provider.  She also cites an interesting study conducted by Infonetics Research— 81 percent of respondents said improving the strength of the enterprise’s security is the No. 1 reason for moving to the SaaS model.  Other top reasons cited: cost, time to deploy, and centralized management.   One key point: 82 percent of those surveyed plan to use SaaS offerings to augment, not replace, their existing security deployments.  This is a great overview of businesses’ perceptions of SaaS and their intent to move to the cloud.  For more information on this topic, download Dark Reading’s report here.

SC Magazine…
Vulnerability Assessment Integration with Web Application Firewalls
This article by Jeremiah Grossman discusses how even for proactive organizations, finding and fixing flaws in website code is a complex, time and resource intensive task. He provides a must-have checklist for organizations that includes production-safe scanning, accuracy, a precise reporting format, assessment repeatability, WAF/IDS SSL support and flexible and actionable rules. It would be ideal if a 100 percent secure code was developed, but until then Jeremiah says the integration of website vulnerability assessment and Web application firewalls allow IT security professionals to have control over website security. Having the right solution can noticeably improve how an organization handles and overcomes web vulnerability.

Posted in Highlights | Tagged: , , | Leave a Comment »

dWAF as SaaS available through AWS

Posted by hyperguard on November 10, 2009

Today we announced hyperguard SaaS—the industry’s first dWAF as a SaaS through Amazon Web Services (AWS).  AWS customers or solution providers can protect applications by applying hyperguard SaaS either as software plug-in to an existing web server Amazon Machine Image (AMI), or by using AoD’s custom AMI.  The solution solves the limitations of traditional WAFs being forced to secure cloud applications, which they weren’t specifically designed for.

It is highly scalable and ideal for virtualized resources—AoD hosts the resource-heavy pieces of the dWAF on Amazon EC2 and leaves just a small footprint on the customer’s AMI. Therefore, hyperguard scales simply with the number of web server AMIs that run the customer’s application being protected without a need to purchase additional AMIs.  This allows customers to pay on a use-case basis and avoid investing in intensive solutions.

hyperguard SaaS provides web application security monitoring, detection-only and protection modes. For additional information or to test the service for free go to http://aws.artofdefence.com

Posted in Post | Tagged: , , , , | Leave a Comment »

60 Minutes & IT Security???

Posted by hyperguard on November 9, 2009

Yes, last night, CBS (Steve Croft) looked at IT threats to the government and public infrastructure. Stories most of us know by hart – electrical grid, government network, etc. – were covered quite well. Lot’s of people are talking about the importance of mainstream media finally looking at this issue. Data Security Podcast for example.

There have been discussions of tainted thumb drives used by government employees, however, the application side is much more of an issue – particularly with major systems looking at cloud computing as a way to reduce costs for running such systems. Web application security is at the heart of this issue.

Security is and has always been about layers, and this is underlined by applications being moved to the cloud. Traditional software is exposed like never before and often cannot be patched ‘in real-time’ to accommodate actual security needs. One layer that fills this void is a WAF. Rather than a replacement for secure developing, a WAF is able to defend the cloud application until a patch can be made, tested and deployed.

Posted in Post | Tagged: | Leave a Comment »

Weekly Industry Round-up: Week of November 2nd

Posted by hyperguard on November 6, 2009

Online Security Authority…
Building Security Into Your Organizations Web Applications to Begin With
This post discusses the importance of Web application protection being the chief component in the Web application development process and having it integrated from the ground up. It suggests the essential trick is a modification of attitude and awareness among the company software developers. Security imperfections should be viewed as only another category of application defect. During the entire process of software development, the focus must be on addressing the ever-changing potential for deficiencies, and the perception of new vulnerabilities and exploitation strategies.

Six Steps to Pull App Security Back to the Future
Bill Brenner speaks with fellow OWASP member Matt Fisher about some of the key problems with app security today and together they drive in to six different ways to change these. Bill wrote this article in conjunction with the upcoming OWASP show, AppSecDC. This is a great read; provides helpful background information and links to other app security articles.

Dark Reading…
Tech Insight: Managing Vulnerability In The Cloud
Writer, Curt Franklin explores the common issue, how do you manage vulnerabilities in your IT infrastructures when it is in the cloud? Although this is in your provider’s hand, Curt provides readers with some best practices and tips for controlling it.

Posted in Highlights | Tagged: , , , , | Leave a Comment »