Hyperguarding your Web Applications

Archive for February, 2010

Weekly Industry Round-up, Week of 2/22

Posted by hyperguard on February 26, 2010

Dark Reading…
At RSA Conference, Analysts Will Focus On Security’s ‘Big Issues’
Tim Wilson discusses some security analyst’s predictions for what the hot topics at this year’s RSA Conference will be. Cloud security will be one of the major topics covered since security is a key factor in a company’s decision to adopt cloud technology. Khalid Kark, a vice president at Forrester Research, says he’ll be looking for signs of security’s “three big shifts” while he’s at the show. Those shifts will be toward next-generation technologies, in the business expectations of security managers, and in the ownership of security.

Cloud Security Issues, Targeted Attacks to be Hot-Button Topics at RSA
In this article, Robert Westervelt discusses how targeted attacks are using browser vulnerabilities, seeking flaws in Web applications and finding clever ways to trick end users and penetrate corporate networks. This may lead RSA attendees to take a more cautious approach to new technologies that promise to secure virtualized environments, cloud computing and a number of other corporate initiatives.

RSAC 2010 Guide: Virtualization and Cloud Security
This guide discusses what we can expect to see from virtualization and cloud security at next week’s RSA Conference. We will see virtualization security and the tools and techniques for locking down virtual machines and infrastructures. Software as a Service will be covered since a variety of new and existing security technologies can be delivered as services via the cloud. Cloud-powered security will be discussed as some vendors are leveraging cloud-based features to enhance their security product offerings. Tools and techniques for securing cloud deployments will also be a hot topic.


Posted in Highlights | Leave a Comment »

We’ll be at RSA next week

Posted by hyperguard on February 26, 2010

The RSA Conference is just a week away, and this will be the second year art of defence will be exhibiting at the show.  We’re quite excited and looking forward to all the discussions around application security and cloud, particularly the Cloud Security Alliance (CSA) Summit. The CSA has been working hard to better understand the risks associated with cloud threats, and at the show will be releasing their findings in their Top Threats to Cloud Computing document. It will look at how the industry perceives the risk that these threats pose—sure to be a good one!  

If you’re at the show, be sure to stop by and say hello—we’ll be at booth #342.

Follow the discussion on Twitter @hyperguard or #RSAC.

Posted in Post | Tagged: , | Leave a Comment »

Weekly Industry Round-up, Week of 2/15

Posted by hyperguard on February 19, 2010

Tech News World…
Before Making the Leap, Check Cloud Security – and Check Your Own
In this post, Ed Moyle says that although using a cloud service means important enterprise data will reside on an off-premise site, it does not make the system less secure than keeping it in-house. Before making the jump to the cloud, he suggests organizations do some research in terms of security—both the service provider’s and their own. Ed says companies should do a formal risk assessment of their environment to see what they have. They then have to figure out what the vendor does or doesn’t do to protect the data entrusted to them. With this information, companies can make an informed decision about what’s best for them.

ZDnet’s Zero Day Blog…
Reports: SQL Injection Attacks and Malware Led to Most Data Breaches
A number of recent reports show that the main sources of breaches next to malware infection are SQL injections. While companies are investing more resources into ensuring their networks and employees are protected against the very latest threats, they may be overlooking the most basic threats. These threats usually require simple or average attack sophistication on behalf of the cybercriminal. It’s worth checking out what each of the reports had to say.

Cloud Computing Compliance: Exploring Data Security in the Cloud
David Mortman of Securosis says that while migrating services to the cloud may provide many benefits, an enterprise still has responsibilities such as remaining compliant. As companies start moving services to the cloud, they need to ask if the data falls under any compliance-related regulations or requirements. If so, they will need to make sure the cloud provider has the necessary policies, processes and procedures to properly maintain those controls.

Tactical Web Application Security…
Top 10 Targeted Passwords
Ryan Barnett of Breach Security discusses the recent RockYou hack that exposed user’s passwords when attackers extracted them by using SQL Injection. This huge data set offers a unique look into what types of passwords user will chose when no password complexity rules are enforced. Ryan says these weak passwords are a critical component of the overall RISK equation, however they do not include an important factor – are any of these passwords being used by attackers in actual brute force attacks? Since the passwords are all dictionary words or numbers, they are easily guessed/brute forced by hacking tools.

Posted in Highlights | Leave a Comment »

U.S. the World’s Dirtiest Web-Hosting Country?

Posted by hyperguard on February 12, 2010

According to a recent Sophos report, this is true—the United States hosted nearly 40% of the world’s infected websites.  Graham Cluley blogs on the year-long study, which examines the top 10 countries hosting malware on the web, and passing on virus infections to computer users.   The company warns U.S. hosts to clean up their act by taking better care and weeding out malicious websites in their supervision.  It is also recommended that webmasters ensure their sites are securely coded and properly patched against hackers who are trying to inject malicious software into their pages.

Another recommendation we’d like to make to webmasters is installing a distributed Web application firewall (dWAF) for added protection—using one will shield applications from attacks.  Since dWAFs are flexible it allows protection levels to be easily tightened iteratively without risk of unwanted exposure or blocking to the application being shielded; and ‘detection only mode’ to test new rule-sets withough actually enforcing them alongside with existing, proven rule-sets.  This allows webmasters to develop, test and apply patches with minimal disruption to the network without ever relaxing the established defenses or risking false positives—particularly helpful for 40% U.S. web hosts.

Check out the Sophos report in its entirety or Graham’s commentary.

Follow this discussion on Twitter @hyperguard

Posted in Post | Leave a Comment »

CSA and Use Cases

Posted by hyperguard on February 5, 2010

art of defence’s Alex Meisel and Georg Hess contributed to the recent Cloud Security Alliance paper—Security Guidance for Critical Areas of Focus in Cloud Computing v2.  The CTO and CEO are excited to have helped write the application security domain (no. 13).

Application Security (Domain no. 13) Premise:

Cloud environments — by virtue of their flexibility, openness, and often public availability — challenge many fundamental assumptions about application security.  Some of these assumptions are well understood; however many are not. This section is intended to document how Cloud Computing influences security over the lifetime of an application — from design to operations to ultimate decommissioning. This guidance is for all stakeholders — including application designers, security professionals, operations personnel, and technical management — on how to best mitigate risk and manage assurance within Cloud Computing applications.

At RSA, the company will be extending these thoughts, along with the dWAF (distributed web application firewall) concept, as use cases.  These use cases will include practical applications that companies deploy for SaaS, PaaS and IaaS.  Stay tuned for more details and a download link!

Follow this discussion on twitter @hyperguard

Posted in Post | Leave a Comment »

Weekly Industry Round-up, Week of 2/1

Posted by hyperguard on February 4, 2010

Information Security Magazine…
Attackers Zero in on Web Application Vulnerabilities
Robert Westervelt discusses how Web application vulnerability flaws are happening on websites all over the Internet at an alarming rate and account for more than 80 percent of the vulnerabilities discovered, according to the SANS Institute. In many cases, attackers exploit a Web application vulnerability to set up an attack that targets coding errors in client-side applications. While we may never get to the point of having zero vulnerabilities, companies can improve security by taking steps such as using a dWAF.

Old Security Flaws Still a Major Cause of Breaches, Says Report
In this article, Jai Vijayan says recent reports show an overemphasis on tackling new and emerging security threats may be causing companies to overlook older, but more frequently exploited vulnerabilities. In 2009, the top three ways hackers gained initial access to corporate networks were via remote access applications, trusted internal network connections, and SQL injection attacks. Companies may have to reevaluate their security programs to make sure they are aware of both new and old vulnerabilities. The study suggests companies maintain an up-to-date list of assets, decommission older legacy systems as much as possible, and monitor third-party relationships. This is particularly true when applications are forced from the network to the cloud, which is why flexible security solutions are a must.

Web Host Industry Review…
70% of Firms Using Cloud Services Plan to Move More Apps to the Cloud
David Hamilton discusses a recent study showing seven out of ten companies currently using cloud-based services plan to move additional applications to the cloud, and most within the next year. Certain industries are adopting cloud technologies faster than others. The top three industries adopting cloud computing solutions are technology (with 53 percent), financial services (40 percent), and legal (37 percent). For those already using cloud computing solutions, email and CRM proved to be the most valuable. These organizations need to ensure that they secure all of the applications they add to the cloud.

Jeremiah Grossman…
Be Ready – With Answers
Since most security vulnerabilities are located in Web applications, application security professionals will need to be ready to answer their company’s questions. Jeremiah suggests making yourself visible by branding yourself and your team as the internal experts for “application security.” Share interesting links, summarize interesting white papers, and offer to coordinate workshops for management and development teams to keep them informed. Have answers ready by building your internal step-by-step plan for an application security program. Engage with the community by getting involved in a group such as OWASP to meet people, ask questions, and offer your input.

Posted in Highlights | Leave a Comment »

External Hacks are More Serious than You Think

Posted by hyperguard on February 3, 2010

If you really look at security breaches you will notice that the vast majority are caused from the outside—not the inside.  Security experts and industry personnel have led us to believe that disgruntled employees, misplaced documents, flash drives and devices and sheer management policies are more prevalent than hackers.  Well guess again.  We spoke to art of defence’s Sebastian Haase on this and he shared with us that this is not necessarily the case.  Yes—internal breaches do occur and they are serious, but so are external hacks, particularly those to the web application layer.  If you look at Jeremiah Grossman’s presentation, Web Vulnerabilities Revealed: What everyone knew, but afraid to believe, you will read startling web vulnerabilities statistics based on the OWASP Top Ten and realize that these weakness are clear openings for hackers.

According to Jeremiah’s presentation, 9 out of 10 websites have serious vulnerabilities and sites with urgent, critical or high severity issues will not pass PCI compliance—a major concern for financial services, retail and e-commerce.  Another consideration to think about is the amount of time it takes to fix vulnerability—67 days!  This known weakness heightens the situation for companies and increases the chance of a severe breach.  It is important to shield applications from web vulnerabilities with a distributed web application firewall (dWAF) and protect against widespread external hacks.

Follow this conversation on twitter @hyperguard

Posted in Post | Tagged: , , , , | 1 Comment »