Hyperguarding your Web Applications

Archive for June, 2010

Free dWAF Evaluation for Breach Security Customers and Partners

Posted by hyperguard on June 25, 2010

Following the recent Trustwave and Breach Security acquisition, we will be providing Breach customers with a free evaluation of our distributed Web application firewall (dWAF) solution, hyperguard.   Interested parties can trial the dWAF as a SaaS through Amazon Web Services (AWS) or download a software plug-in directly from our website.  We are offering this for those who seek a future-proof solution to satisfy their immediate WAF needs.  The solution is capable of supporting all future virtualization or cloud-based plans.  hyperguard provides:

  • Application security monitoring for customers to understand the risk and exposure of their web and cloud applications to known attacks at the application layer without hyperguard interfering with web traffic.
  • ‘Detection only mode’ allows rule-sets to be tested but not enforced, alongside with rule-sets in ‘protection mode’ that enforce already proven security policies without ever relaxing the established defenses or risking false positives.
  • hyperguard SaaS is also ideal for companies relying, or thinking about using, cloud services e.g. for application overflow resources.

AWS customers can access hyperguard SaaS by simply adding a small software plug-in to an existing web server Amazon Machine Image (AMI), or by using art of defence’s custom AMI.


Posted in Post | Leave a Comment »

Weekly Industry Round-up, Week of 6/21

Posted by hyperguard on June 25, 2010

CTO Edge…
Security and Compliance in the Cloud Age
This article by Alert Logic’s Misha Govshteyn says that while the debate over private vs. public clouds carries on, there is very little attention paid to the fact that the accepted broader definition of the cloud—IT services delivered under the IaaS/PaaS/SaaS models—in effect brings about a gradual shift of the control over security from the enterprise to the service provider. He says this shift in responsibility and control will fundamentally change the way we secure our data. Enterprises and security professionals need to prepare themselves for the future demands of cloud computing by making the right decisions and deploying cloud-ready technologies today.

Cloud Computing With Less Security Risk
Paul Rubens says companies often feel their data is too sensitive to move to the cloud and that they will lose control over it and it will therefore be less secure. He offers some benefits to cloud computing, such as lower capital outlays, fixed, known monthly costs, scalability, low management overhead and immediate access to technology. Paul isn’t saying that all organizations should move all their computing tasks to the cloud, but many organizations could profit from the benefits described above if the security risk, real or perceived, could be reduced. Paul lists a number of questions to ask providers regarding security and compliance before deciding to move any applications to the cloud.

SC Magazine…
Researcher Demonstrates Twitter XSS vulnerability
This week a Twitter user demonstrated a cross-site scripting (XSS) that could allow an attacker to take over users’ accounts or spread malware. A researcher found that the vulnerability affects the “application name” field on Twitter’s application registration page, used by developers when setting up a new Twitter application. The flaw appears to be the result of a lack of input validation of the “application name field” when accepting new requests for Twitter applications. The company is aware of the issue and has fixed it for new applications, but is still working to patch it in all programs.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 6/14

Posted by hyperguard on June 18, 2010

Can Federal Data Privacy Live on in the Cloud?
For government, privacy and data security are a priority, and now many government IT agencies are planning to move their computing operations to the cloud. According to this article by Kenneth Corbin, the transition to the cloud is already well underway in federal IT circles and with it. John Kropf, the deputy chief privacy officer at the Department of Homeland Security, is developing policies and safeguards to keep sensitive data secure as the traditional silos of federal IT infrastructure are torn down. However, classified national security information is not on the table when government officials talk about the cloud. And many agencies have a mixture of sensitive information that may find a home on a secured private cloud, as well as troves of data that can—and should, according to the White House—be made publicly available on the Web.

Jeremiah Grossman…
Jeremiah Grossman recently asked his Twitter followers why some people feel oddly compelled to rely upon the shortcomings of Web Application Firewalls (WAFs) as a means to advocate for a Secure Development Lifecycle (SDL). He believes this is odd because the long-term, risk-reducing value provided by secure code is enough on its own to warrant the investment, and says if you can’t demonstrate that, blame directed at WAFs seems misplaced. Most importantly, we must remember that our objective is to protect websites from being hacked. He suggests organizations should focus on the many cost-saving, risk-reducing, top-line-benefiting qualities that come with implementing a well-regulated software security program. He also says that at the end of the day, our common enemy is really the lack of application security visibility and the allocation of necessary resources. If we come together and help address this as an industry, we’ll all be better off, and the pressure of this either or choice will be lessened.

Cloud Security: The Basics
With cloud computing being one of the most-discussed topics among IT professionals today, this article by Mary Brandel lays out the essential concepts of cloud security. It looks at cloud models including software as a service (SaaS), infrastructure as a service (IaaS) and platform as a service (PaaS). Mary also provides examples of how four companies chose to handle some of the biggest concerns that users have, such as single sign-on, data encryption, virtualization and business continuity.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 6/7

Posted by hyperguard on June 11, 2010

Cloud Computing: Would PCI Compliance Help or Hurt Security?
This article discusses whether cloud computing environments can meet PCI compliance standards. Many security experts say they can’t answer that question yet, but the bigger question is whether meeting PCI standards would actually improve cloud security. There has been talk that cloud security would be included in the most recent update of the Payment Card Industry’s Data Security Standards (PCI DSS), which sparked debates on whether requirements designed to protect credit-card data would actually make cloud services less secure. While IT practitioners question PCI’s role in the cloud, few doubt the need for cloud security standards—a  March study by IEEE and the Cloud Security Alliance found 82% of IT professionals believe the need for cloud-specific security standards is urgent.

Who Still Keeps Money Under their Mattress? The Case for Cloud Security
This post by Ryan Nichols says massive amounts of data are lost every day through the failure of on-premise technology—companies know how often e-mails or files on your local or shared drives are lost or corrupted or how easy it is in many  companies to plug into their network without credentials.  These incidents usually go unnoticed, but when public cloud technology fails, it makes headlines. Cloud providers spend millions of dollars on security and reliability testing every year, and their businesses depend on delivering a service that exceeds the expectations of the most demanding enterprises—this is why Ryan argues that data is probably safer in a leading cloud platform than it is in most on-premise data centers. Right now, many companies would probably disagree and say they feel safer having data in their own data center. It will be interesting to see how this debate plays out as more organizations start to adopt cloud technology.

Microsoft Finally Fixes Pwn2Own Browser Flaw
This week, Microsoft’s Patch Tuesday delivered 10 security bulletins with fixes for at least 34 documented vulnerabilities. This “patch batch” also provides cover for a known cross-site scripting flaw in the Microsoft SharePoint Server and a publicly discussed data leakage hole in Internet Explorer. Microsoft has urged its users to pay special attention to MS10-033 (Windows), MS10-034 (ActiveX killbits) and MS10-035 (Internet Explorer) because these contain fixes for issues that may be exploited by malicious hackers very soon.

Posted in Highlights | Leave a Comment »

Google’s SaaS Contract with Los Angeles

Posted by hyperguard on June 10, 2010

Los Angeles recently selected Google Apps to provide the city with cloud services, which over 30,000 of its employees will use. After hearing this news, we came across a blog post that looks at Los Angeles’s contracts with Google and CSC, the company implementing Google’s SaaS for the city, and its provisions. With the terms of the contract publicly available, will this set a standard for the security industry?

Los Angeles has separate contracts with Google and CSC, and based on reports, the deal includes the following terms: unlimited damages for a data breach, provisions allowing audits, guarantees that data remain in the contiguous 48 states, penalties if Google’s services are unavailable for any longer than 5 minutes a month, unlimited damages if its nondisclosure agreement is breached, Google is required to encrypt the city’s data and break it into pieces  when it is at rest so that no one can get their hands on a full file and bars Google from viewing any data without permission from the city.

The contract also requires CSC to establish a security program to ensure the confidentiality of protected information, including protection against anticipated threats, unauthorized access and use, and the proper disposal of protected data. The Google contract also contains security obligations, such as “all facilities used to store and process customer data will had adhere to reasonable security standards no less protective than the security standards at facilities where Google stores and processes its own information of a similar type.”

As cloud computing becomes more favorable among companies, and cities as it turns out, security is one of the most important factors to consider when moving applications to the cloud. Could these contracts become a template for the industry—helping to protect companies and clearly outline what vendors are responsible for?

Posted in Post | Leave a Comment »

Weekly Industry Round-up, Week of 5/31

Posted by hyperguard on June 4, 2010

Facebook Clickjacking Worm Infects Thousands
Last week we mentioned how clickjacking attacks use malicious iFrames inserted into a Web page to hijack a user’s Web session. Then, over the weekend, a Facebook clickjacking worm affected thousands of users, spreading malware and unwanted code onto users’ computers when they clicked a link that indicates they “like” the maliciously created Web page. Users have been encouraged to view recent activity on their Facebook news feed and delete entries related to the malicious links. They should also click on their Info tab on their personal profile and remove any of the links connecting to Web pages via their “likes and interests” section.

Enterprise Networking Planet…
Web Application Security: Are You Doing Enough?
This article by Paul Rubens discusses last month’s “State of Application Security ” survey carried out by the Ponemon Institute. Many organizations are leaving their data vulnerable to theft because they spend too much of their security budgets protecting their networks and too little securing their Web applications. Securing both network and Web applications should be key priorities so what this comes down to is a problem of resource allocation: if you spend too much of your security budget on your network, hackers will steal data via your Web applications, but if you spend too much on your Web applications, there won’t be enough of your budget left to prevent them stealing data by breaking in to your network. If companies decide to allocate more of the security budget to Web application security, Paul suggests performing regular scanning for known vulnerabilities and coding errors using a specialized Web vulnerability scanner, or even full scale penetration testing.

The Virtualization Practice…
Defining Tenants for Secure Multi-Tenancy for the Cloud
This post by Edward Haletky discusses that there is more to securing multi-tenancy (SMT) than one would imagine. So how would you define tenant when nearly everyone has their own definition of tenant for a multi-tenant solution? Attorney, David Snead, defined tenant as “whatever definition is used within the contract.” If there is no definition within your contract then assumptions are made, so I tend to fall back to the definition of tenant to be “the legal entity responsible for the data” so you need to read your contracts carefully. Edward believes that once we can define tenant appropriately, the provider needs to offer some level of security far above what any one tenant may desire, but can at some point in time acquire as necessary. After we define tenant satisfactorily, we should start to look at what we need from the provider and what is really left to the tenant to implement in other words: roles and responsibilities.

Posted in Highlights | Leave a Comment »