Hyperguarding your Web Applications

Archive for April, 2010

Weekly Industry Round-up, Week of 4/26

Posted by hyperguard on April 30, 2010

Ponemon Institute…
eWEEK and Dark Reading discussed two reports issued by the Ponemon Institute this week. The first, commissioned by Imperva and WhiteHat Security, found that 70 percent of the respondents felt their organizations do not allocate sufficient resources to secure critical Web applications. The results show that 73 percent said senior executives were not strongly supporting Web app security efforts. To resolve this issue, communication between security operations and app development teams will need to improve.

The second, sponsored by security vendor PGP, found that a data breach in the United States could cost enterprises twice as other countries because of stringent regulations. In the U.S., where 46 states have introduced laws forcing organizations to publicly disclose the details of breach incidents, the cost per lost record was 43 percent higher than the global average. In Germany, where equivalent laws were recently passed, costs were second highest. In Australia, France, and the U.K., where data breach notification laws have not yet been introduced, costs were all below the average.

Engaging Your Staff in Data Protection
While breaches cannot be eliminated, staff engagement in a data protection program can help reduce risk. For data protected by state or federal laws, such as social security number (SSN), personal credit card numbers (CCN), or protected health information (PHI) there typically legally required notification requirements, and potentially fines. If you are dealing with credit cards, you also have to conform to PCI-DSS, otherwise your merchant status is at risk. To help engage staff in data protection, employees should know processes and understand data classifications. Companies should also think about what messages to send that that will encourage staff to take ownership for protecting the information.

Zero Day…
Serious XSS flaw haunts Microsoft SharePoint
It seems that every week we are hearing about cross-site scripting (XSS) attacks affecting another company. This week, Microsoft’s security response team confirmed the existence of a serious XSS vulnerability in the Microsoft SharePoint Server 2007 product. The vulnerability, which can be exploited via the browser, could allow a malicious hacker to execute arbitrary JavaScript code within the vulnerable application. Microsoft said it was aware of the issue and promised to issue guidance for affected customers.

Posted in Highlights | Leave a Comment »

art of defence Integrates hyperguard with WhiteHat Sentinel

Posted by hyperguard on April 29, 2010

We recently announced a partnership with WhiteHat Security to integrate hyperguard and the WhiteHat Sentinel website vulnerability management service. Enterprises, web hosting and cloud service providers are able to mitigate risk across any production website. Ideal for the unique cloud computing environment, customers can combine WhiteHat Sentinel’s SaaS-based website vulnerability management capabilities with art of defence’s software-based dWAF for a highly-targeted vulnerability remediation solution that enables organizations to obtain quick, easy protection from Web application attacks.

Companies that use both solutions will be able to take advantage of “virtual patching” functionality and mitigate website vulnerabilities quickly, limiting exposure to exploits. Depending on the severity level, administrators of hyperguard are able to implement a specific rule-set suggestion into protection mode immediately or test it first in ‘detect only’ mode. As a result, they always maintain control over hyperguard’s detect or protect settings, preventing accidental blocking of good Web traffic. hyperguard’s entire architecture was carefully designed to ensure that it can be integrated as flexibly and seamlessly as possible into existing security and Web infrastructures, including cloud-based services, with no disruptions or interference in service.

Follow the discussion on Twitter @hyperguard and @Whitehatsec

Posted in Post | Leave a Comment »

Weekly Industry Round-up, Week of 4/19

Posted by hyperguard on April 23, 2010

Around the blogosphere…
There has been a lot of discussion this week around Microsoft’s plans to fix an Internet Explorer 8 cross-site scripting problem. Microsoft will plug a hole in a built-in filter in IE8 that can be used to launch the very types of attacks on Web sites it was designed to help prevent. The company will update the IE cross-site scripting (XSS) filter in June to fix a hole that researchers warned about at last week’s Black Hat Europe conference. The researchers showed how problems with the filter could be used to inject malicious code onto sites including Google, Microsoft’s Bing search site and Twitter. Check out articles on this issue at CNET, Computerworld and ZDNet.

eSecurity Planet…
Cloud Faces Security Challenges
David Needle discusses whether cloud computing adoption is hurt by security issues, compliance concerns or just a poorly chosen name. These issues were recently raised during a panel on cloud security at the AlwaysOn OnDemand conference. Some of the panelists said the term ‘cloud’ has hurt the concept because it takes a business process and makes it sound “out there.” Others argued that it’s about governance and control issues. Security is a high concern for many companies, but it’s not the only reason they have not moved applications to the cloud yet.

10 Most Dangerous Web App Security Risks
As we mentioned earlier in the week, OWASP announced an update to its list of the most dangerous issues facing Web app developers. This slideshow presents the Top 10 vulnerabilities impacting Web applications and some advice from OWASP as to what Web developers and IT managers can do to stop these security threats.

Posted in Highlights | Leave a Comment »

hyperguard Covers PCI DSS’ New “Un-validated Redirects and Forwards” Risk

Posted by hyperguard on April 21, 2010

You have probably heard that the PCI DSS requirement 6.5 has been impacted by the updated OWASP’s Top 10 Web application risk ranking. Specifically, new risks “security misconfiguration” and “un-validated redirects and forwards” have been added to list. As stated in the PCI DSS standard,

“The vulnerabilities listed at 6.5.1 through 6.5.10 were current in the OWASP guide when this version of PCI DSS [1.2] was published [July, 2009]. However, if and when the OWASP guide is updated, the current version must be used for these requirements.”

We’re not particularly happy with the “security misconfiguration” addition since – at least in the current formulation and examples. This topic appears to be a bit too general, as examples listed in the recommendations also cover hardening of operating systems, which is certainly important but perhaps not in the core of web application security. However, if restricted to applications, hyperguard – configured properly – does protect against the typical attack vectors lists, such as unauthorized access to unused pages or un-patched flaws.

On the other hand, the “un-validated redirects and forwards” is one hyperguard has protected users against for a long time. As our customers know, hyperguard has a proud history of security far beyond OWASP recommendations.

Here’s how you can cover your compliance issues for the new “un-validated redirects and forwards” Top 10 risk:

  1. Use the hyperguard Whitelist Handler and validate all parameters used in URLs. For example the url=evil.com in the request http://www.example.com/redirect.jsp?url=evil.comThe Whitelist Handler validates attributes of HTTP requests (in URLs and also the HTTP Post request body). An argument is ONLY valid if it matches with a regular expression set in the Protected-Form-Fields settings.If the parameters do not match with the existing regular expressions for the protected input fields, the configuration item “allow-unknown-form-fields” can be setup to unconditionally allow them. If this option is not activated, hyperguard will reject the request – with an error code. Unconditionally allowed requests are flagged in the log files, this information can be used by the administrator to further enhance the managed whitelist.
  2. For output checks on redirects, use hyperguard’s Script Handler to define the target of a redirect and to define which domain(s) are permitted.

This will take care of your compliance issue with the “un-validated redirects and forwards” OWASP risk. Our technical team is available for further help with this issue – just email us and we’ll sort out your issues: info@artofdefence.com

Follow this discussion on Twitter @hyperguard

Posted in Post | Tagged: , , , | Leave a Comment »

OWASP Updates Top 10 List

Posted by hyperguard on April 19, 2010

Today, OWASP announced an updated list of the top 10 risks associated with the use of web applications in an enterprise.  This is the first time the list has been updated since 2007. The report explains these risks to software developers and managers to help organizations better secure their Web applications and services.

OWASP Top Ten List:

  • Injection
  • Cross-Site Scripting (XSS)
  • Broken Authentication and Session Management
  • Insecure Direct Object References
  • Cross-Site Request Forgery (CSRF)
  • Security Misconfiguration
  • Insecure Cryptographic Storage
  • Failure to Restrict URL Access
  • Insufficient Transport Layer Protection
  • Unvalidated Redirects and Forwards

Two risks were removed from the list—malicious file execution because it has become a less prevalent issue and information leakage and improper error handling because its impact is typically minimal.

Security misconfiguration and un-validated redirects and forwards are new to the list. Security misconfiguration was added because good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. According to OWASP, all these settings should be defined, implemented, and maintained as many are not shipped with secure defaults—this includes keeping all software up to date.

Un-validated redirects and forwards were added because Web applications frequently redirect and forward users to other pages and websites and use un-trusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites or use forwards to access unauthorized pages.

The report also includes how to assess the possibility that your Web application could be at risk and offers some mitigation tips. Download the full report here.

Posted in Post | Tagged: , , | Leave a Comment »

Weekly Industry Round-up, Week of 4/12

Posted by hyperguard on April 16, 2010

SC Magazine…
Apache.org Hit by Targeted XSS Attack
The open-source Apache Software Foundation recently suffered a cross-site scripting (XSS) attack against its infrastructure—resulting in users’ passwords being compromised. The targeted attack allowed hackers to break into the server hosting Apache.org’s software and steal encrypted passwords. Hackers also launched a brute force attack and gained administrator privileges on an account, allowing them to browse and copy the file system. As we discussed last week, new types of XSS attacks are being discovered—this once again stresses the importance of using strong passwords and using a distributed web application firewall (dWAF) to protect applications from these attacks.

eSecurity Planet…
Cloud Security in the U.S.
A recent study by Symantec and the Ponemon Institute looks at the procedures, policies and tools that U.S. companies currently have in place to ensure data security in the cloud. It found that only 27 percent of respondents had any procedures in place for approving cloud applications that use sensitive information. Check out the full report here.

Network World…
Virtualization and cloud security modeled on NAC
Andreas M. Antonopoulos discusses how virtualization and cloud computing have impacted the security industry and that network access control (NAC) can help coordinate cloud security. According to Andreas, NAC can not only show us a good architectural approach to virtualization and cloud security, but the resulting technologies can be applied directly at the heart of data centers.

OWASP Top 10 List Revised
In this podcast, Rob Westervelt speaks with Jeff Williams, a co-author of the OWASP Top 10 List. Jeff explains some of the changes incorporated into the latest version due out next week. This is the first time the list has been updated in 3 years.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 4/5

Posted by hyperguard on April 9, 2010

Firefox Plans Fix for Decade-Old Browsing History Leak
Dan Goodin discusses how Firefox developers are getting close to plugging an information leakage hole that has affected every major browser for over a decade. Web masters can easily compile huge lists of links visitors have previously viewed. Fixing it has been difficult because programmers didn’t know how to close the hole without breaking key web functionality. A Mozilla security team member says the hole will soon be closed in the open-source browser in a way that won’t sacrifice usability. Dan says these changes are a step in the right direction even if they don’t completely eliminate the problem.

Insecure about Security…
Interesting Data about Data Breaches
Jon Oltsik looks at a recent ESG Research survey, which asked security professionals at enterprise organizations whether their organization had suffered a data breach within the last year. Here are the results: 63% responded no, 23% said yes, there was one incident and 11% said yes, there were several incidents. Interestingly enough, organizations that must comply with more than three government or industry regulations suffered more breaches.

Tactical Web Application Security…
WAF Confusion Continues
Ryan Barnett of Breach Security discusses a recent analyst briefing held by Frost & Sullivan, which provided an overview of the WAF market in the Asia Pacific region. The presentation showed that there are still misconceptions about WAFs— organizations don’t fully understand what they are and when they need them. Many respondents felt having a powerful network firewall is sufficient to make up for a lack of a WAF. We hope this confusion will clear up and organizations will better understand the need for a distributed web application firewall (dWAF) to protect against vulnerabilities and attacks.

Posted in Highlights | Leave a Comment »

Cross-Site Scripting Strikes Again

Posted by hyperguard on April 8, 2010

A new type of cross-site scripting (XSS) attack that exploits commonly used network administration tools could be putting users’ data at risk. Recent research by nCircle, provider of vulnerability management and compliance auditing solutions, outlines a new category of attack called “meta-information XSS” (miXSS), which could be difficult to detect. Tyler Reguly, lead security research engineer, states in his whitepaper that the attacks are taking the meta-information provided by various services and displaying it within the rendered Website.

Currently, there are three types of XSS attacks: reflected, persistent, and DOM-based. According to the whitepaper, reflected XSS refers to an attack that occurs when user input is reflected back at the user. Persistent XSS attacks store user input, letting it affect a broader scope of visitors. DOM-based XSS is an attack that modifies the Document Object Model directly without requiring data in the HTTP response.

Reguly says the XSS vulnerability could become a growing threat in the future since these Web-based tools are often used to quickly resolve network administration issues. New types of XSS attacks being found stresses the importance of shielding applications with a distributed web application firewall (dWAF) to protect against them.

Posted in Post | Leave a Comment »

Weekly Industry Round-up, Week of 3/29

Posted by hyperguard on April 2, 2010

Infonetics Research…
Security SaaS Market Worth the Hype: Up 70% in 2009
According to a recent Infonetics report, the security services market is strong and growing. The reasons for this include increasing global demand from organizations due to the proliferation of security threats of all types, the complexity of current security solutions, widespread use of diverse devices and the desire of product manufacturers and service providers to add recurring revenue and improve margins. Jeff Wilson says strong interest in and broad availability of software-as-a-service (SaaS) security offerings will help drive growth in the overall managed security services market over the next few years.

Plug Into the Cloud…
Why Multitenancy Matters in the Cloud
Alok Misra discusses the debate in the software industry over whether multitenancy is a prerequisite for cloud computing. Those considering cloud applications should care about this issue because multitenancy is the most direct path to spending less and getting more from a cloud application. Alok says it’s a matter of simple revenue and cost economics of cloud services. Multitenancy spreads the cost of the infrastructure and labor across the customer base—customers sharing resources right down to the database schema is ideal for scaling.

Dark Reading…
Organizations Rarely Report Breaches to Law Enforcement
This Kelly Jackson Higgins article says most organizations hit by breaches that don’t require public disclosure don’t call in law enforcement—they consider it an exposure risk, with little chance of their gaining any intelligence from investigators about the attack. The FBI says they will protect the privacy and data of victim organizations. They will share what information it can from its investigation, rather than continue with the mostly one-way sharing that organizations traditionally have experienced when dealing with the FBI.

Posted in Highlights | Leave a Comment »