Hyperguarding your Web Applications

Archive for January, 2010

Weekly Industry Round-up: Week of 1/25

Posted by hyperguard on January 29, 2010

Rational Survivability…
Cloud: Security Doesn’t Matter (Or, In Cloud, Nobody Can Hear You Scream)
In this post, Chris Hoff says that it doesn’t matter how “secure” Cloud providers suggest they are because in the long run it’s about how compliant they are.  That’s what will determine the success of Cloud.  Chris suggests that the core issue to tackle in Cloud is trust. Trust is comprised of Security, Control, Service Levels and Compliance.   He says it is relatively easy to establish where we are today with the first three, but we will have to work harder to manage compliance.

Gartner Blog…
Another Lesson from the IE Zero Day Attacks on Google: The Power of Whitelisting
Neil McDonald discusses lessons learned from the recent breaches of Google’s infrastructure as the result of attacks on unknown vulnerabilities in Internet Explorer where no patch was available. He focuses on application control/whitelisting and believes that whitelisting at the endpoints would have stopped these attacks. If Internet Explorer had an unknown vulnerability, was subject to a zero-day attack and malicious code was dropped on the machine, the code wouldn’t be allowed to execute because it wasn’t on the approved list. Application control solutions provide straightforward and powerful protection. If a code isn’t supposed to be running on a system, don’t let it run.

Low Hanging Fruit: Security Management
In this post, Mike Rothman discusses the discipline of security management. He stresses the importance of having a security program in place. When thinking about starting a program, make sure to define success, communication and accountability. He also suggests reviewing your incident response plan and to monitor everything so that you can react faster. Especially monitor logging, change detection and network behavioral analysis. By identifying your priorities and having a strong security, it will be easier to determine what you need to be working on.


Posted in Highlights | Leave a Comment »

Need to Break a Password? Try 123456.

Posted by hyperguard on January 27, 2010

A few weeks ago we posted about how RockYou, a provider of third-party apps for Facebook, MySpace and other social-networking sites has had major problems with SQL injections in web application security.  After experiencing a data breach that exposed 32 million users’ e-mails and passwords, RockYou has now analyzed the passwords that were hacked. The result? The most common password on the site was 123456.

The research also showed that 290,731 individuals used 123456 as their password. 12345 was the second most common password, used by 79,078 individuals and the third most popular password, was 123456789 used by more than 76,790 people. 30 percent of users selected a password that was six characters or less and nearly half selected names, slang words, dictionary words or consecutive digits for their password.

The breach occurred because the user’s information had been stored in plain text and was vulnerable through a SQL security hole. While using a dWAF could have prevented this hack, users should have also been using more secure passwords.

As RockYou continues to review its security procedures and implement new practices, they will need to enforce a strong password policy since most users are choosing weak passwords on their own.

To read more about RockYou’s analysis of user’s passwords, check out this SC Magazine article.

Follow this discussion on Twitter @hyperguard

Posted in Post | Leave a Comment »

WAF in the Cloud

Posted by hyperguard on January 22, 2010

Fellow OWASP member, Ofer Shezaf, recently presented at a chapter meeting, and gave an overview of how WAFs interact with cloud computing—both using the cloud and protecting cloud based applications.  During his presentation he discussed the following scenarios:

  • Enterprise Security Gateway
  • WAF as a service: For protecting a data center or SaaS
  • WAF for a cloud deployment: Host Based or Infrastructure Based
  • WAF stubs

Mentioned in his presentation and also in an earlier post, Ofer notes that the two challenges facing WAFs in the cloud are bandwidth and complexity, however, art of defence has tacked these problems with hyperguard and meets XIOMs definition of a true WAF.

Ofer mentions hyperguard SaaS for AWS within his presentation, and notes that many well-known WAFs are actually lacking simply at signatures and hardly true WAFs.  What is considered a true WAF for the cloud?

Xiom is a great source of information for WAFs and resource to our readers, check out Ofer’s blog at http://www.xiom.com/ and view his entire presentation under our ‘Resources’ tab

Follow this discussion on Twitter @hyperguard

Posted in Post | Tagged: , , | Leave a Comment »

Weekly Industry Round-up: Week of 1/18

Posted by hyperguard on January 22, 2010

The Forrester Blog for Security & Risk Professionals…
Why Google and Microsoft, Not Cloud Computing, Were at Fault for the Google Hack
In this post, Chenxi Wang discusses last week’s attack on Google, Yahoo, and more than 30 other companies and explores why this is not an attack on cloud computing.  It’s known that a Microsoft browser vulnerability was exploited, some employee desktops were compromised and the attacker used these desktops via Google’s VPN to get to some of the servers. Google then issued an emergency refresh of the entire corporate VPN infrastructure. Chenxi says that exploiting browser vulnerabilities is a familiar attack method, one that has nothing to do with cloud computing. Compromising desktops and using VPN to further compromise servers is also nothing new. She says that what is at the root of the problem here is a vulnerability from everybody’s “favorite” software company, not the fact that the target of the attack is a major cloud computing company.  Despite this, Google is at fault for not managing its risks adequately.

Information Week…
Why You Need a SaaS Strategy
Michael Biddick, President and CTO of the consulting and IT services firm, Fusion PPT, says that few companies have noticed just how powerful and grounded a force software as a service has become. The impact that SaaS will have on IT organizations is profound and business technology leaders will need to make sure their companies are ready for it. He offers 9 keys to SaaS strategy:  select the right provider, sign the right contract, have a detailed exit strategy, manage the relationship, create a contingency plan, dig deep on interoperability and integration, agree on IT’s role in supporting the product, get senior executive support and involvement and align to the company objective.

CSO Online…
The Great PCI Security Debate of 2010: Part 2
Check out this debate with CSO’s Senior Editor Bill Brenner and Martin McKeay of the Network Security Podcast. They share their thoughts on whether PCI security is an industry savior or failure. If you haven’t heard part one yet, you can listen here.

Tactical Web Application Security…
2010 Web Application Security Predictions
Ryan Barnett looks at a few types of incidents that will likely happen over the next year. His predictions include: Web-based worms will migrate off social networking sites, planting of malware will become a top concern, attacks against Web-based critical infrastructure components and HTTP Denial of Service Attacks will take down important sites.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up: Week of 1/11

Posted by hyperguard on January 15, 2010

Information Week…
Private Clouds Are A Fix, Not The Future
In this article, Cloud Connect’s Alistair Croll argues that internal enterprise clouds are temporary and will be followed by a migration to public cloud infrastructure. His predicts that for the next three or four years, enterprises will deploy private and hybrid clouds and public cloud infrastructure will be reserved for startups, experimentation and testing. He says that within a few years, the true cloud operators will have an unavoidable cost advantage and they will be closer to consumers  Computing legislation will catch up and in three to five years, there will be a second big enterprise IT migration from private to public infrastructures.

Social Networks Face User Content Risks, Web Application Vulnerabilities
Rob Westervelt discusses how third-party applications on social networks could be the next means of attack for cybercriminals. If left unmonitored, security experts fear the applications that users have come to trust could be used to trick them into giving up account credentials or deliver spam and malware. In 2009, Link-sharing and discussion portal MetaFilter was on a long list of user-driven platforms and websites victimized by SQL injection attacks. OWASP is now taking a closer look at ways to scan and recognize potentially malicious coding posted by users on Web forums, user profile pages and other webpages where users freely post content.

IT Business Edge…
Fully Clouded By 2010?
A few weeks ago, Arther Cole blogged about his prediction that virtualization and cloud computing would bring an end to IT infrastructure at small and mid-sized organizations, who would outsource these resources to regional dedicated data centers.  While he still expects this to happen, he finds a recent report issued by Gartner to be interesting. It says that more than 20 percent of enterprises will have no IT infrastructure at all as early as 2012. If the change does happen that fast, IT departments should be prepared for a wild road ahead.

Jeremiah Grossman…
Top Ten Web Hacking Techniques of 2009 (Official)
Jeremiah Grossman lists the Top Ten Web Hacking Techniques of 2009. Every year the Web security community produces dozens of new hacking techniques documented in white papers, blog posts, magazine articles, mailing list emails and so on. The top 3 listed were: Creating a rogue CA certificate, HTTP Parameter Pollution (HPP) and Flickr’s API Signature Forgery Vulnerability (MD5 extension attack). Check out the post to see what else the judges included.

Posted in Highlights | Leave a Comment »

Some Rocky Times for RockYou

Posted by hyperguard on January 13, 2010

SQL injections are one of the biggest problems in web application security—we’ve seen it with Heartland, 7-Eleven and Hannaford Brothers, and now RockYou.  These attacks are widely known and publicized; however, it still takes companies, who have experienced attacks, 67 days to resolve these issues!

Early December, RockYou, provider of third-party apps for Facebook, MySpace and other social-networking, suffered a data breach that exposed nearly 32 million RockYou users’ e-mails and passwords.  This information had been stored in plain text and was vulnerable through a SQL security hole.  Now, Alan Claridge, an affected user, filed for a proposed class action lawsuit on December 28 for failing to properly secure his data, allowing hacker ‘igigi’ to gain access to it and failing to promptly notify him about it.

Although, we are not certain of the exact technology being used by RockYou, but if a dWAF was being used it could have prevented this hack and saved the company from this disaster.  More importantly, RockYou could have protected its’ customers’ PII (personal identifiable information).  Because a dWAF is flexible it allows patches to be applied with minimal disruption to the network—quite helpful for situations like these.

Moving forward RockYou will be further investigating the breach, reviewing its security protocols and implementing new practices:

  • Encrypting all passwords
  • Upgrading the legacy platform with the same infrastructure and industry standard security protocols we employ on our partner applications platforms
  • Reviewing our current data security features and ensuring that they meet industry standards and best practices

To read more background on the RockYou breach check out SC Magazine’s article.

Follow this discussion on Twitter @hyperguard

Posted in Post | Tagged: , , | 1 Comment »

Weekly Industry Round-up: Week of 1/4

Posted by hyperguard on January 8, 2010

Cloud Switch…
5 Things to Do Before Moving to the Cloud
In this post, Ellen Rubin offers 5 steps that can help guide the thought process when considering a cloud deployment.  She recommends that before moving an enterprise application to the cloud, you need to be sure that your expectations are realistic and your objectives match what the cloud can deliver. Here are the 5 things she suggests doing before moving to the cloud: determine your cloud objectives, pick an application that makes sense, involve the CSO/risk management team from the beginning, decide which cloud(s) are acceptable and create a sandbox where people can experiment.  This article ties back to our series on Top Security Perils When Moving an Application to the Cloud— when you do move to the cloud, make sure you protect your applications with a dWAF.

Help Net Security…
Top 10 Application Security Trends
This article discusses The Denim Group’s list of the top application security trends for 2010. Some trends they list include Web mashup applications will result in new attack vectors, new data breaches will force organizations to focus on internal applications as well as external, organizations will finally start asking, “How are we going to fix these vulnerabilities?” They also predict organizations will move beyond scan-only approaches to application security, the application security market will continue consolidating, organizations deploying web application firewalls will increasingly use them for virtual patching and application security metrics will provide a foundation for decision-making.

Enterprise Systems…
Q&A: Understanding Private vs. Public Clouds
In this article, Linda Briggs, speaks with Kenneth Ziegler, president and COO of a managed services firm that offers private cloud computing. He explains the differences between public and private cloud computing and what each is best suited for.  Kenneth describes the public cloud as typically being used for processing power or shared storage delivered to a client on a “pay-by-the-sip” basis (often dollars per CPU hour or dollars per GB of storage).  While hosted private clouds include “shared-nothing” architectures, which are custom designed for enterprise clients who have specific performance, compliance, and scalability requirements. It is delivered in “pay-by-the-glass” increments, requiring a minimum high-availability configuration, with clients adding their own virtual machines as they grow, all fully managed by the service provider. Check out the rest of the article for Kenneth’s list of advantages to cloud computing as well as what users should be aware of.

Posted in Highlights | Leave a Comment »

Top Security Perils When Moving an Application to the Cloud: Infrastructure Set-up

Posted by hyperguard on January 6, 2010

Wrapping up our security peril series, we’ve identified infrastructure set-up / decisions as our fifth peril of forcing applications onto the cloud that weren’t specifically designed for it.

Internally, the application had secure access to authentication databases and content databases, such as product data management systems and ERP systems.  As these systems typically contain confidential content, careful decisions have to be made about these data—which parts should be moved to the cloud and in what form, or can the whole database live on the cloud without risk?  Often times, new and securely implemented login/access procedures are needed.

Follow the discussion on Twitter @hyperguard.

Posted in Post | Tagged: , | Leave a Comment »

Top Security Perils When Moving an Application to the Cloud: Web App Security Challenges

Posted by hyperguard on January 4, 2010

Moving along with our series, we’ve identified general web app security challenges as our fourth peril. As internal users were trusted, the application had not been exposed to such things like security source code reviews or security vulnerability tests in general.  The challenges mentioned up until now are common issues noted by the OWASP Top 10.  There are more very likely vulnerabilities to make the list, such as Cross Site Scripting, and many more that have not made the OWASP Top 10 yet.  Regular Source Code Audits/Vulnerability Assessments and the use of embedded or external WAFs can prevent these vulnerabilities.

Follow the discussion on Twitter @hyperguard.

Posted in Post | Tagged: , , | Leave a Comment »

Top Security Perils When Moving an Application to the Cloud: Secure Communication

Posted by hyperguard on January 1, 2010

The third security peril is secure communication, i.e. secure session management or encryption.  Internally, the application had only trusted users, and all communication was trusted in the sense that all other users were no security risk.  However, there is variety of typical web application vulnerabilities that target communication problems, for example, insecure implementations of session management (i.e. insecure session cookies), improper use of encrypted communication (i.e. SSL, key management).  If the application moves to the cloud all relevant aspects of the communication have to be evaluated.  Implementation of secure communication channels have to be done the right way.  This could either be implemented within the application itself by using secure frameworks or in front of the application in a so-called web application firewall.

Follow the discussion on Twitter @hyperguard.

Posted in Post | Tagged: , | Leave a Comment »