Hyperguarding your Web Applications

Archive for May, 2010

Weekly Industry Round-up, Week of 5/24

Posted by hyperguard on May 28, 2010

Cloud Computing Basics: Planning and Understanding a Cloud Strategy
This article by John Weathington says there’s still a lot of confusion around what the cloud is and there shouldn’t be. For midmarket companies, cloud services are simply a way to outsource issues to a third party on a pay-as-you-use engagement model. However, companies are concerned about cloud security because anytime you trust a third party, you run risks. And there will be some cases, particularly when data privacy is a concern, where the risks may outweigh potential benefits. John suggests looking at some low-risk/high-value cloud plays like collaboration as a starting point, and building from there. Once you understand how to make your cloud strategy work for you, you might actually find you’re a cloud computing enthusiast.

Dark Reading…
Anti-Clickjacking Defenses ‘Busted’ In Top Websites
New research from Stanford University and Carnegie Mellon University’s Silicon Valley campus found that frame-busting, a popular technique that basically stops a website from operating when it’s loaded inside a frame, does not prevent clickjacking. Clickjacking attacks use malicious iFrames inserted into a Web page to hijack a user’s Web session. The researchers used a security feature in Internet Explorer and Google Chrome browsers to demonstrate clickjacking attacks against the websites’ frame-busting methods. The cross-site scripting (XSS) filter in the browsers basically tricked the browser into seeing frame-busting as an XSS attack: you tack it onto the URL and the browser says it looks like a URL appearing in a Web page and attempts to block it, so it blocks the frame-busting script from executing.

PCI Tokenization Guidance Could Benefit Payment Processors
The Payment Card Industry Security Standards Council (PCI SSC) is expected to release guidance later this year on the use of tokens to replace credit card data. This move could benefit some payment processors that sell technologies using encryption and tokenization to eliminate sensitive card information from merchant systems. According to Bob Russo, general manager of the PCI SSC, there won’t be any major changes to the data security standards (PCI DSS), but guidance documents are being developed to help merchants decide whether investing in encryption or PCI tokenization technologies is a good move.

Posted in Highlights | Leave a Comment »

Defining a New WebAppSec Role

Posted by hyperguard on May 27, 2010

As a recent WhiteHat and Ponemon Institute report points out, Web application security is a mess today. In part, this is due to miss-ownership of key technologies such as the WAF. Organizational change is needed – a new role needs to emerge that blends IT, networking and development experience – as WebAppSec ‘lives’ across each of these departments, who often compete for resources and exacerbate the issues. In fact, it takes nearly 67 days to fix a vulnerability today. So, what should this new role look like?

OWASP’s paper on best practices for the use of WAF, says the role model should be implemented primarily when the WAF carries out tasks in the context of whitelisting, in order to protect the web applications, in addition to functioning as a second line of defence and basic security. It should therefore be configured as closely as possible to the functionality of the web application.

The WAF application manager should be responsible for the infrastructure-related aspects of the WAF and will serve as a bridge between the WAF and the specialist application. The person fulfilling this role will have excellent knowledge of WAFs that he / she are able to configure and monitor it for each individual application; they must know the application well to be able to classify and interpret messages coming from the WAF. A WAF application manager will normally maintain the WAF configuration for multiple applications.

Posted in Post | Leave a Comment »

Weekly Industry Round-up, Week of 5/17

Posted by hyperguard on May 21, 2010

Information Management…
Rejecting Injections, to Protect Customer Records
Last month, the Financial Industry Regulatory Authority announced that it was fining Montana-based broker-dealer D.A. Davidson $375,000 for failing to protect customer information. This shows that protecting servers and educating employees about server design are the best first lines of defense. Davidson did not employ technical safeguards to protect customer records stored in a database housed on a Web server with a constant open Internet connection. In addition to employing code security and a scanner, organizations need a Web application firewall that looks at traffic to and from the server to check for SQL attacks and other vulnerabilities.

IT Knowledge Exchange…
SQL Injection Attack Used in Breach of 168,000 Netherlands Travelers
An attacker has discovered a serious flaw in a website set up to encourage the use of smart cards for public transportation in the Netherlands, resulting in the leakage of personal information of more than 168,000 travelers. Information about the flaw was exposed by an anonymous hacker who gave the magazine a video demonstrating the error using a SQL injection attack. The hacker told the magazine that he made the flaw publicly available because there is no excuse for simple website mistakes.

Andy IT Guy…
Why Compliance is Chosen over Security
In this post, Andy discusses an article by Kevin Beaver about how the business continues to choose compliance over true security even though the security people know that it’s a bad idea. Andy says those who do understand still are not doing a good job translating the danger into a language that the business understands. He says the cost/benefit trade-off is not enough for management to buy—they would rather accept the risk, take the chance and deal with the consequences. Also, there is no guarantee that Security X will prevent a breach but you can be sure that it will quiet possibly break something and/or cause lots of user issues.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 5/10

Posted by hyperguard on May 14, 2010

Study on Security in Cloud Computing Shows Angst, Rogue Users
According to a new study, many IT professionals in Europe and the U.S. acknowledge that cloud computing risks are being ignored by some employees who may already be using cloud services. Those surveyed said that some parts of the organization may be using cloud computing services without their knowledge. More than 50% of respondents in the U.S. said their organization is unaware of all the cloud services deployed in their enterprise. The survey also found that many organizations had a lack of understanding of who is ultimately responsible for ensuring security of data in cloud computing environments.

The Register…
White House Devs Overlooked Drupal Vulnerability
This week, a researcher uncovered a potentially serious vulnerability in the open-source content management system used by the White House website and thousands of other sites. The cross-site scripting (XSS) bug resides in the Drupal Context module, a plug-in that Whitehouse.gov and about 10,000 other sites use to manage how content is viewed on their sites. According to an advisory, the flaw allows attackers to inject malicious scripts into login pages that will reset the site’s administrative password.

Cloud Computing: Security’s Friend and Enemy
At last week’s All About the Cloud conference, Marc Olesen, Senior Vice President and General Manager of McAfee, said the cloud is our friend and our enemy. According to Marc, by attacking cloud security in three ways: security from the cloud, security in the cloud and security for the cloud, there’s a better chance at preventing threats before they cause issues. A recent post by Chris Hoff also looks at these three models. In the cloud refers to security products, solutions and technology deployed within cloud computing environments such as firewalls. For the cloud includes security services that are specifically targeted toward securing other cloud computing services, and are delivered by providers. By the cloud refers to security services delivered by cloud computing services which are used by providers in option #2 which often rely on those features described in option #1. Think of basically any service that brands itself as ‘cloud.’

Posted in Highlights | Leave a Comment »

Strong Passwords for Developers

Posted by hyperguard on May 13, 2010

Came across a new blog this week—EthicalHack.co.uk that we wanted to share with our readers.   It is written by Vishal Garg, and dedicated to application (hacking) security.  A great read, and definitely worth following.

That being said, we wanted to highlight Vishal’s latest post on web application designers and developers choosing strong passwords for web applications.  This topic is usually discussed from the end user’s point of view—not from the developers—and all too many times weak passwords are being implemented.  This in turn requires end users to choose strong passwords, which they tend to be faulty of.  Vishal provides four helpful tips to consider when implementing strong password policies within web applications:

1. Password Complexity

A strong password should contain characters from at least three of the following four categories (although implementing all four would be even better):

  • Upper case letters (A through Z)
  • Lower case letters (a through z)
  • Numbers (0 through 9)
  • Non-alphanumeric characters (e.g. !”£$%^&*@#?+ etc.)

2. Password Uniqueness

A strong password should enforce uniqueness of characters—avoid character repetition, number and character sequences, full or part of the password that is the same as the user name or common dictionary words.

3. Password Length

Password length is directly proportion to the amount of time required to crack the password.  Although the optimum length to hinder most password cracking attempts is considered to be more than 14 characters, but implementing a policy that requires minimum eight characters along with above requirements would still be sufficient to stop most of the attacks.

4. Password Aging and Expiry

Password aging and expiry may be considered for high profile web sites.  But this requirement needs to be considered very carefully.  If implemented poorly, this may prove to be counterproductive; e.g. asking users to change passwords very frequently may prompt them to choose weak passwords (e.g. Password1 – a password meeting first three complexity requirements, but still considered a weak password), or to write their password somewhere.  If considered carefully, strong password implementation policies would prevent users from choosing weak passwords and help prevent compromise of user accounts through brute force attacks.

Posted in Post | Tagged: , , | Leave a Comment »

Weekly Industry Round-up, Week of 5/3

Posted by hyperguard on May 7, 2010

Bank Info Security…
Tippett’s Top 10 Security Predictions
In this post, Peter Tippett, head of Verizon’s information security team says security protection in the next 10 years will become more effective and widespread. Peter shared his 2010 predictions and some of them were quite interesting. Threats will emerge that we haven’t thought of yet, and we will need to find new ways to beat the cyber criminals, but the overall security climate will get better. He also predicts that more security services will become part of the cloud, and many of the basics will be included in the pipe. Software-as-a Service (SaaS) and numerous, diverse cloud services will dominate the software, storage, and computer-platform delivery models. Providers will provide better security features and controls than the current excess of diverse and individually deployed enterprise systems.

Cloud Computing is More Secure than You Think
There has been debate on whether cloud services are sophisticated enough to handle mission-critical applications reliably and securely. Roger Grimes says they are, and choosing one or more cloud service could actually reduce expense and security risks for the average company. He says most of the computer security problems we’ll face in the future will be similar today’s threats, but it will take a new amount of effort to contain the problem and apply the fix.

Rational Survivability…
Dear SaaS Vendors: If Cloud Is The Way Forward & Companies Shouldn’t Spend $ On Privately-Operated Infrastructure, When Are You Moving Yours To Amazon Web Services?
Chris Hoff discusses how Software as a Service (SaaS) vendors often say that infrastructure is irrelevant, and that cloud computing has fundamentally changed the way we consume computing resources. However, many SaaS providers continue to build their software and choose to run it in their own datacenters on their own infrastructure. He feels it is hypocritical for SaaS vendors to convince others to move their software when they haven’t done the same.

Posted in Highlights | Leave a Comment »