Hyperguarding your Web Applications

Archive for the ‘Post’ Category

Free dWAF Evaluation for Breach Security Customers and Partners

Posted by hyperguard on June 25, 2010

Following the recent Trustwave and Breach Security acquisition, we will be providing Breach customers with a free evaluation of our distributed Web application firewall (dWAF) solution, hyperguard.   Interested parties can trial the dWAF as a SaaS through Amazon Web Services (AWS) or download a software plug-in directly from our website.  We are offering this for those who seek a future-proof solution to satisfy their immediate WAF needs.  The solution is capable of supporting all future virtualization or cloud-based plans.  hyperguard provides:

  • Application security monitoring for customers to understand the risk and exposure of their web and cloud applications to known attacks at the application layer without hyperguard interfering with web traffic.
  • ‘Detection only mode’ allows rule-sets to be tested but not enforced, alongside with rule-sets in ‘protection mode’ that enforce already proven security policies without ever relaxing the established defenses or risking false positives.
  • hyperguard SaaS is also ideal for companies relying, or thinking about using, cloud services e.g. for application overflow resources.

AWS customers can access hyperguard SaaS by simply adding a small software plug-in to an existing web server Amazon Machine Image (AMI), or by using art of defence’s custom AMI.


Posted in Post | Leave a Comment »

Google’s SaaS Contract with Los Angeles

Posted by hyperguard on June 10, 2010

Los Angeles recently selected Google Apps to provide the city with cloud services, which over 30,000 of its employees will use. After hearing this news, we came across a blog post that looks at Los Angeles’s contracts with Google and CSC, the company implementing Google’s SaaS for the city, and its provisions. With the terms of the contract publicly available, will this set a standard for the security industry?

Los Angeles has separate contracts with Google and CSC, and based on reports, the deal includes the following terms: unlimited damages for a data breach, provisions allowing audits, guarantees that data remain in the contiguous 48 states, penalties if Google’s services are unavailable for any longer than 5 minutes a month, unlimited damages if its nondisclosure agreement is breached, Google is required to encrypt the city’s data and break it into pieces  when it is at rest so that no one can get their hands on a full file and bars Google from viewing any data without permission from the city.

The contract also requires CSC to establish a security program to ensure the confidentiality of protected information, including protection against anticipated threats, unauthorized access and use, and the proper disposal of protected data. The Google contract also contains security obligations, such as “all facilities used to store and process customer data will had adhere to reasonable security standards no less protective than the security standards at facilities where Google stores and processes its own information of a similar type.”

As cloud computing becomes more favorable among companies, and cities as it turns out, security is one of the most important factors to consider when moving applications to the cloud. Could these contracts become a template for the industry—helping to protect companies and clearly outline what vendors are responsible for?

Posted in Post | Leave a Comment »

Defining a New WebAppSec Role

Posted by hyperguard on May 27, 2010

As a recent WhiteHat and Ponemon Institute report points out, Web application security is a mess today. In part, this is due to miss-ownership of key technologies such as the WAF. Organizational change is needed – a new role needs to emerge that blends IT, networking and development experience – as WebAppSec ‘lives’ across each of these departments, who often compete for resources and exacerbate the issues. In fact, it takes nearly 67 days to fix a vulnerability today. So, what should this new role look like?

OWASP’s paper on best practices for the use of WAF, says the role model should be implemented primarily when the WAF carries out tasks in the context of whitelisting, in order to protect the web applications, in addition to functioning as a second line of defence and basic security. It should therefore be configured as closely as possible to the functionality of the web application.

The WAF application manager should be responsible for the infrastructure-related aspects of the WAF and will serve as a bridge between the WAF and the specialist application. The person fulfilling this role will have excellent knowledge of WAFs that he / she are able to configure and monitor it for each individual application; they must know the application well to be able to classify and interpret messages coming from the WAF. A WAF application manager will normally maintain the WAF configuration for multiple applications.

Posted in Post | Leave a Comment »

Strong Passwords for Developers

Posted by hyperguard on May 13, 2010

Came across a new blog this week—EthicalHack.co.uk that we wanted to share with our readers.   It is written by Vishal Garg, and dedicated to application (hacking) security.  A great read, and definitely worth following.

That being said, we wanted to highlight Vishal’s latest post on web application designers and developers choosing strong passwords for web applications.  This topic is usually discussed from the end user’s point of view—not from the developers—and all too many times weak passwords are being implemented.  This in turn requires end users to choose strong passwords, which they tend to be faulty of.  Vishal provides four helpful tips to consider when implementing strong password policies within web applications:

1. Password Complexity

A strong password should contain characters from at least three of the following four categories (although implementing all four would be even better):

  • Upper case letters (A through Z)
  • Lower case letters (a through z)
  • Numbers (0 through 9)
  • Non-alphanumeric characters (e.g. !”£$%^&*@#?+ etc.)

2. Password Uniqueness

A strong password should enforce uniqueness of characters—avoid character repetition, number and character sequences, full or part of the password that is the same as the user name or common dictionary words.

3. Password Length

Password length is directly proportion to the amount of time required to crack the password.  Although the optimum length to hinder most password cracking attempts is considered to be more than 14 characters, but implementing a policy that requires minimum eight characters along with above requirements would still be sufficient to stop most of the attacks.

4. Password Aging and Expiry

Password aging and expiry may be considered for high profile web sites.  But this requirement needs to be considered very carefully.  If implemented poorly, this may prove to be counterproductive; e.g. asking users to change passwords very frequently may prompt them to choose weak passwords (e.g. Password1 – a password meeting first three complexity requirements, but still considered a weak password), or to write their password somewhere.  If considered carefully, strong password implementation policies would prevent users from choosing weak passwords and help prevent compromise of user accounts through brute force attacks.

Posted in Post | Tagged: , , | Leave a Comment »

art of defence Integrates hyperguard with WhiteHat Sentinel

Posted by hyperguard on April 29, 2010

We recently announced a partnership with WhiteHat Security to integrate hyperguard and the WhiteHat Sentinel website vulnerability management service. Enterprises, web hosting and cloud service providers are able to mitigate risk across any production website. Ideal for the unique cloud computing environment, customers can combine WhiteHat Sentinel’s SaaS-based website vulnerability management capabilities with art of defence’s software-based dWAF for a highly-targeted vulnerability remediation solution that enables organizations to obtain quick, easy protection from Web application attacks.

Companies that use both solutions will be able to take advantage of “virtual patching” functionality and mitigate website vulnerabilities quickly, limiting exposure to exploits. Depending on the severity level, administrators of hyperguard are able to implement a specific rule-set suggestion into protection mode immediately or test it first in ‘detect only’ mode. As a result, they always maintain control over hyperguard’s detect or protect settings, preventing accidental blocking of good Web traffic. hyperguard’s entire architecture was carefully designed to ensure that it can be integrated as flexibly and seamlessly as possible into existing security and Web infrastructures, including cloud-based services, with no disruptions or interference in service.

Follow the discussion on Twitter @hyperguard and @Whitehatsec

Posted in Post | Leave a Comment »

hyperguard Covers PCI DSS’ New “Un-validated Redirects and Forwards” Risk

Posted by hyperguard on April 21, 2010

You have probably heard that the PCI DSS requirement 6.5 has been impacted by the updated OWASP’s Top 10 Web application risk ranking. Specifically, new risks “security misconfiguration” and “un-validated redirects and forwards” have been added to list. As stated in the PCI DSS standard,

“The vulnerabilities listed at 6.5.1 through 6.5.10 were current in the OWASP guide when this version of PCI DSS [1.2] was published [July, 2009]. However, if and when the OWASP guide is updated, the current version must be used for these requirements.”

We’re not particularly happy with the “security misconfiguration” addition since – at least in the current formulation and examples. This topic appears to be a bit too general, as examples listed in the recommendations also cover hardening of operating systems, which is certainly important but perhaps not in the core of web application security. However, if restricted to applications, hyperguard – configured properly – does protect against the typical attack vectors lists, such as unauthorized access to unused pages or un-patched flaws.

On the other hand, the “un-validated redirects and forwards” is one hyperguard has protected users against for a long time. As our customers know, hyperguard has a proud history of security far beyond OWASP recommendations.

Here’s how you can cover your compliance issues for the new “un-validated redirects and forwards” Top 10 risk:

  1. Use the hyperguard Whitelist Handler and validate all parameters used in URLs. For example the url=evil.com in the request http://www.example.com/redirect.jsp?url=evil.comThe Whitelist Handler validates attributes of HTTP requests (in URLs and also the HTTP Post request body). An argument is ONLY valid if it matches with a regular expression set in the Protected-Form-Fields settings.If the parameters do not match with the existing regular expressions for the protected input fields, the configuration item “allow-unknown-form-fields” can be setup to unconditionally allow them. If this option is not activated, hyperguard will reject the request – with an error code. Unconditionally allowed requests are flagged in the log files, this information can be used by the administrator to further enhance the managed whitelist.
  2. For output checks on redirects, use hyperguard’s Script Handler to define the target of a redirect and to define which domain(s) are permitted.

This will take care of your compliance issue with the “un-validated redirects and forwards” OWASP risk. Our technical team is available for further help with this issue – just email us and we’ll sort out your issues: info@artofdefence.com

Follow this discussion on Twitter @hyperguard

Posted in Post | Tagged: , , , | Leave a Comment »

OWASP Updates Top 10 List

Posted by hyperguard on April 19, 2010

Today, OWASP announced an updated list of the top 10 risks associated with the use of web applications in an enterprise.  This is the first time the list has been updated since 2007. The report explains these risks to software developers and managers to help organizations better secure their Web applications and services.

OWASP Top Ten List:

  • Injection
  • Cross-Site Scripting (XSS)
  • Broken Authentication and Session Management
  • Insecure Direct Object References
  • Cross-Site Request Forgery (CSRF)
  • Security Misconfiguration
  • Insecure Cryptographic Storage
  • Failure to Restrict URL Access
  • Insufficient Transport Layer Protection
  • Unvalidated Redirects and Forwards

Two risks were removed from the list—malicious file execution because it has become a less prevalent issue and information leakage and improper error handling because its impact is typically minimal.

Security misconfiguration and un-validated redirects and forwards are new to the list. Security misconfiguration was added because good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. According to OWASP, all these settings should be defined, implemented, and maintained as many are not shipped with secure defaults—this includes keeping all software up to date.

Un-validated redirects and forwards were added because Web applications frequently redirect and forward users to other pages and websites and use un-trusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites or use forwards to access unauthorized pages.

The report also includes how to assess the possibility that your Web application could be at risk and offers some mitigation tips. Download the full report here.

Posted in Post | Tagged: , , | Leave a Comment »

Cross-Site Scripting Strikes Again

Posted by hyperguard on April 8, 2010

A new type of cross-site scripting (XSS) attack that exploits commonly used network administration tools could be putting users’ data at risk. Recent research by nCircle, provider of vulnerability management and compliance auditing solutions, outlines a new category of attack called “meta-information XSS” (miXSS), which could be difficult to detect. Tyler Reguly, lead security research engineer, states in his whitepaper that the attacks are taking the meta-information provided by various services and displaying it within the rendered Website.

Currently, there are three types of XSS attacks: reflected, persistent, and DOM-based. According to the whitepaper, reflected XSS refers to an attack that occurs when user input is reflected back at the user. Persistent XSS attacks store user input, letting it affect a broader scope of visitors. DOM-based XSS is an attack that modifies the Document Object Model directly without requiring data in the HTTP response.

Reguly says the XSS vulnerability could become a growing threat in the future since these Web-based tools are often used to quickly resolve network administration issues. New types of XSS attacks being found stresses the importance of shielding applications with a distributed web application firewall (dWAF) to protect against them.

Posted in Post | Leave a Comment »

Scanners and WAFs Work Hand-in-Hand

Posted by hyperguard on March 31, 2010

Larry Suto, an application security consultant, recently published a sequel to his 2007 best seller research about web application scanners, which drew much attention from the industry because he claimed that scanners do not perform as well as advertised.  In his sequel, Larry elaborates and updates his initial findings by testing various vendors solutions, such as, Acunetix, Portswigger.net BurpSuitePro, Cenzic’s Hailstorm, NT Objectives’ NTOSpider and among others, and found yet again that most Web application scanning tools missed vulnerabilities and generated false positives.  While Larry’s findings are quite interesting, businesses should never rely solely on a single solution.

In this particular instance, we always urge the use both scanners and WAFs for an added layer of security.  In fact, these two technologies are melding together today, as we see from the analyst community, such as, Chenxi Wang in her recent report, Web Application Firewall 2010 And Beyond.  Stand alone security solutions are almost nonexistent within the industry today.  Ofer Shezaf states in his post, WAFs are not perfect, but is any security tool perfect? no single security solution is sufficient—only combining multiple defense mechanisms would provide adequate security, which still does not imply 100%.

Posted in Post | Tagged: , , , | Leave a Comment »

Partnering hyperguard w/ Forefront TMG

Posted by hyperguard on March 24, 2010

We recently worked with the Forefront TMG team to deliver a solution that would enable businesses in the financial services sector, particularly those who process or store credit card data, to be PCI DSS compliant.  According to PCI requirement 6.6, all Web-facing applications must be protected against known attacks, such as Cross Site Scripting (XSS), SQL-injection and other OWASP Top10 threats.  This requirement can be fulfilled by installing a Web application firewall (WAF) in front of Web-facing applications, however, many companies look for comprehensive security solutions that cover both network and application layer specific requirements of PCI DSS.

We paired our WAF (hyperguard) as a software plug-in with the ISA Server/Forefront TMG to solve this common problem.  You may read about the deployment on Forefront TMG community blog at http://blogs.technet.com/isablog/hyperguard.

Posted in Post | Leave a Comment »