Hyperguarding your Web Applications

Archive for March, 2010

Scanners and WAFs Work Hand-in-Hand

Posted by hyperguard on March 31, 2010

Larry Suto, an application security consultant, recently published a sequel to his 2007 best seller research about web application scanners, which drew much attention from the industry because he claimed that scanners do not perform as well as advertised.  In his sequel, Larry elaborates and updates his initial findings by testing various vendors solutions, such as, Acunetix, Portswigger.net BurpSuitePro, Cenzic’s Hailstorm, NT Objectives’ NTOSpider and among others, and found yet again that most Web application scanning tools missed vulnerabilities and generated false positives.  While Larry’s findings are quite interesting, businesses should never rely solely on a single solution.

In this particular instance, we always urge the use both scanners and WAFs for an added layer of security.  In fact, these two technologies are melding together today, as we see from the analyst community, such as, Chenxi Wang in her recent report, Web Application Firewall 2010 And Beyond.  Stand alone security solutions are almost nonexistent within the industry today.  Ofer Shezaf states in his post, WAFs are not perfect, but is any security tool perfect? no single security solution is sufficient—only combining multiple defense mechanisms would provide adequate security, which still does not imply 100%.


Posted in Post | Tagged: , , , | Leave a Comment »

Weekly Industry Round-up, Week of 3/22

Posted by hyperguard on March 26, 2010

Information Week…
Google Releases Free Web Security Scanner
Thomas Claburn discusses the free Web Security Scanner that Google recently released. The skipfish software was created to help reduce online security vulnerabilities. While a free tool like this is appealing, it seems as though a true expert would be needed to use it and interpret the results. Using a web application firewall such as hyperguard could be a better solution when looking for an easier integration.

Intrusion Detection in a Cloud Computing Environment
In this contributed article from Phil Cox, he looks at the importance of intrusion detection systems in a cloud computing environment. He discusses how intrusion detection is performed on Software as a Service, Platform as a Service and Infrastructure as a Service offerings. Phil says that in reality, intrusion detection in the cloud is best performed by the provider– more than an IDS or IPS, hyperguard monitors the incoming and outgoing HTTP traffic, and enables and enforces central policy for that application perimeter. Hyperguard offers proactive protection without any changes to the Web application e.g. via secure session management based on the Secure CookieJar or via URL- Encryption to minimize the attack surface.

How Safe is Cloud Computing?
According to Lara Farrar, there may be trouble ahead with cloud computing, as security experts warn that not enough is being done to make sure it is safe. She says more businesses and individuals are tapping into cloud due to economics and convenience. However, a recent study from CIO Magazine found that despite the increasing popularity of outsourced computing, 50% of CEOs surveyed said safety was one of their biggest concerns. Companies have their own firewalls and anti-virus software to protect data in place, but when cloud computing is outsourced, they no longer have control over security measures.

Watch out for Web Worms
This article looks at Web-based worms as a new type of malware that can spread without human intervention and cannot be prevented by traditional anti-virus practices. Two-thirds of Web sites are vulnerable to cross-site scripting (XSS) worm infections, which involve embedding malicious JavaScript or ActiveX code on Web pages or in downloads. These Web worms use access to news items to attract victims to visit infected sites or click links that embed the malicious code in a download.

Posted in Highlights | Leave a Comment »

Partnering hyperguard w/ Forefront TMG

Posted by hyperguard on March 24, 2010

We recently worked with the Forefront TMG team to deliver a solution that would enable businesses in the financial services sector, particularly those who process or store credit card data, to be PCI DSS compliant.  According to PCI requirement 6.6, all Web-facing applications must be protected against known attacks, such as Cross Site Scripting (XSS), SQL-injection and other OWASP Top10 threats.  This requirement can be fulfilled by installing a Web application firewall (WAF) in front of Web-facing applications, however, many companies look for comprehensive security solutions that cover both network and application layer specific requirements of PCI DSS.

We paired our WAF (hyperguard) as a software plug-in with the ISA Server/Forefront TMG to solve this common problem.  You may read about the deployment on Forefront TMG community blog at http://blogs.technet.com/isablog/hyperguard.

Posted in Post | Leave a Comment »

Weekly Industry Round-up, Week of 3/15

Posted by hyperguard on March 19, 2010

The Wisdom of Clouds Blog…
Is a Legal Challenge to the Cloud Inevitable?
After attending the Cloud Connect conference, James Urquhart got a sense of the opinions and concerns of cloud customers and its vendor community. He said it appears that more and more applications will leverage public clouds, and that a large number of enterprises will adopt those services for certain classes of applications as early as 2013. James said that adoption of cloud seems to be exceeding the ability of legal council to evaluate the liabilities that the cloud introduces to enterprise IT.

The Cloud’s Three Key Issues Come into Focus
In this post, David Linthicum discusses 3 issues that become clear at the Cloud Connect conference. The first is common definitions; everyone is defining the same cloud computing concepts, such as private, public, hybrid, community, virtualization and multi-tenancy, a bit differently.  The second is standards—although there is a push for standards in the world of cloud computing, there is no detailed guidance. Finally there is security. We know that clouds need to be secure and progress has been made with the Cloud Security Alliance, but there is still more work to be done.

What are the Most Underrated Security Technologies?
Bill Brenner looks at some of the techniques and related technologies that are considered underrated in the security industry. The first being whitelisting—application security is something companies increasingly worry about with the number of business and personal apps increasing. Web Application Firewalls (WAFs) are among the technologies designed to reduce the risk of hackers. One of the more overlooked features of the technology is whitelisting, the art of allowing only traffic known to be valid to pass through the gate, providing an external input validation shield over the application.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 3/8

Posted by hyperguard on March 12, 2010

Threat Post…
Hijacked Brands Grew in 2009 Phishing Attacks
The Anti-Phishing Working Group (APWG) released its Q4, 2009 Phishing Activity Trends Report, revealing that eCrime syndicates are expanding the base of brands they exploit for online fraud far beyond major financial institutions and online merchants. The number of hijacked brands reached a record 356 in October, up nearly 4.4 percent from the previous record of 341 in August 2009. Check out some more of the report’s findings here.

3 Cloud Computing Mistakes You Can Avoid Today
David Linthicum outlines 3 mistakes that enterprises can avoid when it comes to cloud computing. The first is not considering a public cloud. If there is processing that occurs a few days a month or on a seasonal schedule such as holiday shopping, using a public cloud might be a good fit when additional capacity is needed. The second mistake is security and governance being afterthoughts; many companies only look to them after deploying their cloud computing solution. The third mistake to avoid is not having a continuation of a business strategy, meaning companies should be thinking about what would happen if your provider went down, shut down, or shut you down.

eSecurity Planet…
Security Vendors Show Innovation at RSA
Diana Kelley and Ed Moley highlight RSA announcements from some innovative vendors, including art of defence’s expansion into the cloud with GoGrid. They feature a number of other company’s news, focusing on small business solutions and wireless security.

Posted in Highlights | Leave a Comment »

Is Progress Being Made as CSA?

Posted by hyperguard on March 10, 2010

The Cloud Security Alliance (CSA) released yet another paper at the RSA conference this year— Top Threats to Cloud Computing.  This document is in relation to the recent CSA paper, Security Guidance for Critical Areas in Cloud Computing, v2 that was updated in December 2009.  Since the v2 update and the release of the top threats document, the organization has fallen short to provide the industry with actual use-cases that illustrates true deployment scenarios of cloud computing environments, especially those 13 domains identified.  Enterprises that are planning or who have actually made the leap to cloud computing environments are desperately seeking options to secure their services.

According to a recent Gartner report, organizations will spend more of their IT budget on private cloud computing, than public cloud computing through 2012.  As the industry continues to move forward with cloud computing, particularly to a private cloud, need for use-cases is critical and timely for these companies, and a one-size fits all approach will not suffice.  Thomas Bittman points out in his blog post, Cloud Computing: Through a Glass, Darkly, the key to private cloud computing is spending time with the design process and ensuring the architecture gives them enough flexibility to adjust as needed.  This couldn’t be any truer from a security standpoint, and even more of a reason for a use-case paper.

Follow this discussion on Twitter @hyperguard

Posted in Post | Tagged: , , | Leave a Comment »

Weekly Industry Round-up, Week of 3/1

Posted by hyperguard on March 5, 2010

Experts Laud IPS Virtual Patching, but Warn against Misuse
At this week’s RSA Conference, security pros said that virtual patching can be an effective short-term fix for network vulnerabilities, but it shouldn’t replace the implementation of proper fixes for systems and applications. During a panel discussion on network security, manager of infrastructure security for automaker Daimler, Peter J. Kunz, mentioned the concept of using intrusion prevention systems (IPS) and vulnerability management products to virtually patch vulnerabilities in applications and systems by blocking potentially malicious network traffic from reaching those network locations.  Kunz said “you’re buying some time” with virtual patching, but you’re not adding to the security of your environment.”

Dark Reading…
Cloud Security Alliance Names Top 7 Threats to the Cloud
Also at RSA, the Cloud Security Alliance (CSA) identified the top seven security threats to cloud computing. The CSA’s leading cloud threats are abuse and nefarious use of cloud computing; insecure application programming interfaces; malicious insiders; shared technology vulnerabilities; data loss/leakage; account, service, and traffic hijacking; and unknown risk profile. Check out the CSA’s Top Threats to Cloud Computing V1.0 report.

Network World…
Cloud Security, Cyberwar Dominate RSA Conference
Tim Greene discusses how cloud security dominated the RSA Conference this week as a major concern of business. The worry about the threat of cyberwar was also strong, with officials from the White House and FBI encouraging private participation in government efforts to defend information and communications networks.

Posted in Highlights | Leave a Comment »

dWAF as SaaS available through GoGrid

Posted by hyperguard on March 3, 2010

We recently announced hyperguard SaaS—the industry’s first cloud-based dWAF is available on the GoGrid Cloud. hyperguard SaaS Standard is the first of several service levels to be rolled out, and it offers users Web application security monitoring, detection-only and protection modes. With a SaaS delivery model, customers have the freedom to pay on a use-case basis and avoid having to invest in owning and maintaining a solution themselves.

GoGrid customers are able to access the solution by simply deploying a GoGrid Partner Server Image (GSI) with hyperguard SaaS installed. By integrating a dWAF right into a virtual image and hosted as a SaaS, customers overcome the false sense of security created by traditional network perimeter security strategies which fail at the application level.

For additional information and details the promotion to test the service http://gogrid.artofdefence.com.

Follow this discussion on Twitter, @hyperguard, @GoGrid and #RSAC

Posted in Post | Tagged: , , | Leave a Comment »