Hyperguarding your Web Applications

Archive for December, 2009

Top Security Perils When Moving an Application to the Cloud: Input Validation

Posted by hyperguard on December 31, 2009

The next security peril we identified is input validation.  Internally, the application had only trusted users who used the application ‘as intended’, and there was not a strong need to validate user input, i.e. in form fields of the application.

The challenge is that there is variety of typical web application vulnerabilities that target weak input validation, including all classes of injection attacks, more commonly SQL injection.  If the application moves to the cloud all input parameters of the application need to be validated.  This could either be implemented within the application itself or in front of the application in a web application firewall.

Follow the discussion on Twitter @hyperguard.


Posted in Post | Tagged: , | Leave a Comment »

Top Security Perils When Moving an Application to the Cloud: User Management and Authentication

Posted by hyperguard on December 30, 2009

Continuing with our series, we’ve identified user management and authentication as our first security peril.

Internally, the application had only trusted users. Often, internal authentication services, such as, LDAP and Microsoft Active Directory, are based on protected internal databases and used for secure user access and logging of user traffic.

The challenge here is if there has not yet been any user management, solid and secure user management has to be developed and used on the cloud.  However, if the application continues using the current authentication services, the challenge is whether the user’s credentials should be replicated and made available on the cloud—if so, how can this be done in a secure way?  Or should the user access management on the cloud ask in a secure way (i.e. through a VPN tunnel) the internal authentication databases?  Therefore, the user’s credential database does not leave the secure enterprise infrastructure, but the communication with it has to be secure.

Stay tuned for more security perils…

Follow the discussion on Twitter @hyperguard.

Posted in Post | Tagged: , , | Leave a Comment »

Top Security Perils When Moving an Application to the Cloud

Posted by hyperguard on December 28, 2009

Hyperguarding your Web Applications is starting a series of posts showing you the top security perils of forcing applications onto the cloud that weren’t specifically designed for it.

Here’s a typical situation…applications are built from the ground up using programming languages, such as PHP, JAVA or .NET by an internal development team or a third party vendor with the notion of For Internal Use Only in mind.  There is a general assumption by development teams that users can always be trusted, the application will be used ‘as intended’ and all information (i.e. user data) and content (i.e. product data from databases or ERP systems) are coming from safe and secure sources.  Until now, there have never been security issues with applications.

As cloud computing becomes more favorable among companies, they are forcing their applications out of the internal network in to the cloud, causing them to be vulnerable to Web threats.  If the application, or parts of the application, is moved in to the cloud, there will be typically less security within the infrastructure and several more users will be accessing it.  Therefore vulnerabilities turn up and hacks occur.

Every few days we will post typical challenges enterprises face when moving an application to the cloud —so check back often.

Follow the discussion on Twitter @hyperguard.

Posted in Post | Tagged: , | 2 Comments »

First dWAF?

Posted by hyperguard on December 18, 2009

We’re glad to see others are seeing the importance and worth in a distributed Web Application Firewall (dWAF); however, we wouldn’t call Akamai’s recent news the first WAF in the cloud.  The technology is a black list filter for requests.

Adrian Lane @ Jeremiah: in reference to Jeremiah’s point on white list vs. black list

…I am making the assumption that Akamai relieves their customers from specific ‘black list’ threats and the burden on web site WAFs, but does not relieve customers of the need to build their own ‘white list’ of policies.

Today’s WAF technology looks very differentBlack, white and gray listing is considered a basic functionality.  Proactive features like session protection, form field virtualization, learning and assisted security policy refinements are a must. Exchanging information with web application security related products, such as web application security vulnerability scanners or static code analysis tools, are a must-have.

For these reasons, art of defence launched the first fully fledged dWAF for their customers at RSA 2009.  More recently, we’ve made this service available to AWS customers or solution providers so they can protect their applications by applying hyperguard SaaS either as software plug-in to an existing web server Amazon Machine Image (AMI), or by using AoD’s custom AMI.  The technology behind this is going to be implemented at other various cloud service providers in the near future so they can offer a true dWAF (at least) in their cloud.

Follow the discussion on Twitter @hyperguard.

Posted in Post | Tagged: , , | Leave a Comment »

Weekly Industry Round-up: Week of 12/14

Posted by hyperguard on December 18, 2009

IT Business Edge…
Look Before Taking Cloud Computing Leap
In this post by Michael Vizard, he says one of the assumptions about cloud computing is that it’s a simple matter of choosing an application workload and finding the best place to host it from a pricing perspective. With pricing dropping, organizations are quickly turning to cloud computing, but Michel says an IT organization will be better off in the long run if it takes a few months to seriously consider it before making a decision. Although the idea of cloud computing is attractive, organizations will need to do a significant amount of work on their applications before they are ready to run as a service in the cloud.

How to Avoid the Stormier Implications of the Cloud
This article by Adrian Seccombe offers some advice on how to ensure protection from the stormier implications of clouds. He suggests that major cloud services providers should work with infrastructure suppliers and other relevant groups such as the Jericho Forum and the Cloud Security Alliance to develop the services, solutions and open standards-based interfaces that customers need for secure, open cloud computing. The cloud represents an opportunity for incredible scalability and cost savings and if the industry works together, they can build trust into cloud computing so that everyone benefits from it.

RockYou Hack Exposes Names, Passwords of 30M Accounts
Jaikumar Vijayan discusses how hackers breached a database at social networking application maker RockYou Inc. They accessed username and password information on more than 30 million individuals with accounts at the company and an SQL injection flaw is being blamed. The breach was discovered after database security vendor Imperva Inc. informed RockYou of a major SQL injection error it had uncovered on a page of their website. It was also discovered that RockYou stored its password data in plain text form instead of hashing it, a common security practice.

2010 Security Predictions
In this post, Zscaler shares their security predictions for 2010. They say that attackers will turn to the cloud and attempt to poke holes in the APIs of cloud providers. They also predict that browser vendors will start to take cross-site scripting (XSS) seriously. Additionally, enterprises will look to consolidate data storage and continue to build massive data centers and develop ever larger data stores thanks to cloud computing. The volume of data that can be stolen when adequate security controls are not implemented will be truly incredible.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up: Week of 12/7

Posted by hyperguard on December 11, 2009

Information Security…
Carefully Evaluate Providers’ SaaS Security Model
This article by Marcia Crist discusses how SaaS is becoming increasingly attractive to enterprises looking to add resources and functionality without adding headcount. She looks to security experts to find out how an enterprise goes about ensuring their sensitive data is protected when they work with a SaaS vendor. It comes down to asking a lot of questions about encryption, authentication policies, incident handling, and application security.  Companies are encouraged to make sure security requirements are handled contractually before signing off on a deal and should monitor to see that promises are kept.

Are Cloud Computing Vendors Ignoring IT Pros’ Concerns?
This post by Carl Brooks discusses the results of a new Forrester Research survey shows that while awareness around cloud computing has grown increasingly, the concerns of potential adopters remain the same.  He suggests that vendors and cloud promoters didn’t get the memo. Tim Harmon, a senior analyst at Forrester said that small business’s concerns about cloud computing will come down as they are better educated, but tech vendors are going to have to address some of their concerns.

Network World…
Five Shortcuts to PCI Compliance
Jamey Heary offers five shortcuts to make PCI compliance easier in this post.  He says the key to becoming PCI compliant is all about how well you can control the number of in-scope devices—the smaller your scope the better.  The challenge is how to efficiently and sensibly reduce your PCI scope without breaking everything and spending a fortune. Re-architecting your network to reduce and define PCI scope is one of the first action items you need to complete as you work towards compliance; this is also one of the highest hurdles of the process. Jamey makes great points on how to make this process easier, although he ignored an important aspect—using a web application firewall.

Dark Reading…
Hacker Exposes Unfixed Security Flaws in Pentagon Website
In this article, Kelly Jackson Higgins explains how a Romanian hacker has posted a proof-of-concept attack exploiting vulnerabilities on the Pentagon’s public Website that were exposed several months ago and remain unfixed. The hacker showed input validation errors in the site’s Web application that allow an attacker to wage a cross-site scripting (XSS) attack. Although the site is mainly a tourist site for the Pentagon and doesn’t appear to hold any sensitive data, it could be used to redirect users to a malicious site posing as the Pentagon site.

Posted in Highlights | Leave a Comment »

You Could Fall Victim to a Phishing Attack

Posted by hyperguard on December 10, 2009

As stated in the OWASPs guide, phishing attacks are one of the highest visibility problems for banking and e-commerce sites because they have the potential to destroy a customer’s credit rating and livelihood.  Needless to say, this is a major concern.  To make matters worse, a recent report by Trusteer states that on average 12.5 users out of 1 million accidently access a phishing website, while this number may seem relatively small, it isn’t for banks.  They lose about $2.4-9.4 million annually.  In addition, 45% of bank customers who are redirected to a phishing site divulge their personal credentials—wow!  This report proves just how important it is for banks to use a WAF.

A WAF will detect the linking of third party websites to the legit web application and initiate counter-measures. This detection can also be carried out dynamically by only blocking access once a specific number of requests have occurred.

Trusteer’s data was compiled by measuring live phishing attacks from their Rapport browser plug-in.   Read the report in its entirety or check out ZDNet or The Tech Herald for additional commentary.

Follow the discussion on Twitter @hyperguard.

Posted in Post | Tagged: , | Leave a Comment »

Weekly Industry Round-up: Week of 11/30

Posted by hyperguard on December 4, 2009

CSO Online…
Clear Metrics for Cloud Security? Yes, Seriously
In the second installment of his series on “Clearing the Cloud,” Ariel Silverstone proposes some clearer definitions and metrics to improve cloud security. He touches on subjects including security models, confidentiality, availability and integrity. His first article, Cloud Security: Danger (and Opportunity) Ahead, explores the dangers of cloud computing and outlines security best practices to make it work and is also worth checking out.

Fake H1N1 (Swine Flu) Alerts Lead to Malware
This post by Ryan Naraine discusses how malicious hackers are using fake alerts around H1N1 (Swine Flu) vaccines to trick end users into installing malware on Windows computers, according to warnings issued by computer security firms. The e-mail messages contain a link to a bogus Centers for Disease Control and Prevention site with prompts to create a user profile. During this process, a malware file gets planted on the user’s machine. This post shows you what the site looks like so you can be aware of the attack.

Safer Online Shopping: Eight Tips
This post by Shane O’Neill discusses that Black Friday sales results showed holiday shoppers flocking to the Web this year in unprecedented numbers. To avoid this season’s security threats to your browser and computer, Microsoft lists these eight suggestions. Keep your computer’s software and browser current, protect your computer with firewall and antivirus software, beware of phishing scams and malware and protect yourself against cross-site scripting attacks. You should also identify fake web addresses, browse more privately, make sure payment web sites use encryption and never respond to unsolicited requests to update your account information.

RSA Blog…
A European Take on Cloud Security
Eric Baize discusses the differences between the European and the North American approaches to security in this post. He says Europeans tend to take a comprehensive, long term, risk-based approach while Americans often favor effective protections with rapid return on investment. The greater adoption of smart cards and digital certificates in Europe than in the U.S. is one of the many symptoms of this difference in approaches.

Quiz: How to build secure applications
Check out this quiz that is part of SearchSecurity.com’s Data Protection School lesson, “How to build secure applications.”

Posted in Highlights | Leave a Comment »