Hyperguarding your Web Applications

Weekly Industry Round-up, Week of 5/24

Posted by hyperguard on May 28, 2010

Cloud Computing Basics: Planning and Understanding a Cloud Strategy
This article by John Weathington says there’s still a lot of confusion around what the cloud is and there shouldn’t be. For midmarket companies, cloud services are simply a way to outsource issues to a third party on a pay-as-you-use engagement model. However, companies are concerned about cloud security because anytime you trust a third party, you run risks. And there will be some cases, particularly when data privacy is a concern, where the risks may outweigh potential benefits. John suggests looking at some low-risk/high-value cloud plays like collaboration as a starting point, and building from there. Once you understand how to make your cloud strategy work for you, you might actually find you’re a cloud computing enthusiast.

Dark Reading…
Anti-Clickjacking Defenses ‘Busted’ In Top Websites
New research from Stanford University and Carnegie Mellon University’s Silicon Valley campus found that frame-busting, a popular technique that basically stops a website from operating when it’s loaded inside a frame, does not prevent clickjacking. Clickjacking attacks use malicious iFrames inserted into a Web page to hijack a user’s Web session. The researchers used a security feature in Internet Explorer and Google Chrome browsers to demonstrate clickjacking attacks against the websites’ frame-busting methods. The cross-site scripting (XSS) filter in the browsers basically tricked the browser into seeing frame-busting as an XSS attack: you tack it onto the URL and the browser says it looks like a URL appearing in a Web page and attempts to block it, so it blocks the frame-busting script from executing.

PCI Tokenization Guidance Could Benefit Payment Processors
The Payment Card Industry Security Standards Council (PCI SSC) is expected to release guidance later this year on the use of tokens to replace credit card data. This move could benefit some payment processors that sell technologies using encryption and tokenization to eliminate sensitive card information from merchant systems. According to Bob Russo, general manager of the PCI SSC, there won’t be any major changes to the data security standards (PCI DSS), but guidance documents are being developed to help merchants decide whether investing in encryption or PCI tokenization technologies is a good move.


Posted in Highlights | Leave a Comment »

Defining a New WebAppSec Role

Posted by hyperguard on May 27, 2010

As a recent WhiteHat and Ponemon Institute report points out, Web application security is a mess today. In part, this is due to miss-ownership of key technologies such as the WAF. Organizational change is needed – a new role needs to emerge that blends IT, networking and development experience – as WebAppSec ‘lives’ across each of these departments, who often compete for resources and exacerbate the issues. In fact, it takes nearly 67 days to fix a vulnerability today. So, what should this new role look like?

OWASP’s paper on best practices for the use of WAF, says the role model should be implemented primarily when the WAF carries out tasks in the context of whitelisting, in order to protect the web applications, in addition to functioning as a second line of defence and basic security. It should therefore be configured as closely as possible to the functionality of the web application.

The WAF application manager should be responsible for the infrastructure-related aspects of the WAF and will serve as a bridge between the WAF and the specialist application. The person fulfilling this role will have excellent knowledge of WAFs that he / she are able to configure and monitor it for each individual application; they must know the application well to be able to classify and interpret messages coming from the WAF. A WAF application manager will normally maintain the WAF configuration for multiple applications.

Posted in Post | Leave a Comment »

Weekly Industry Round-up, Week of 5/17

Posted by hyperguard on May 21, 2010

Information Management…
Rejecting Injections, to Protect Customer Records
Last month, the Financial Industry Regulatory Authority announced that it was fining Montana-based broker-dealer D.A. Davidson $375,000 for failing to protect customer information. This shows that protecting servers and educating employees about server design are the best first lines of defense. Davidson did not employ technical safeguards to protect customer records stored in a database housed on a Web server with a constant open Internet connection. In addition to employing code security and a scanner, organizations need a Web application firewall that looks at traffic to and from the server to check for SQL attacks and other vulnerabilities.

IT Knowledge Exchange…
SQL Injection Attack Used in Breach of 168,000 Netherlands Travelers
An attacker has discovered a serious flaw in a website set up to encourage the use of smart cards for public transportation in the Netherlands, resulting in the leakage of personal information of more than 168,000 travelers. Information about the flaw was exposed by an anonymous hacker who gave the magazine a video demonstrating the error using a SQL injection attack. The hacker told the magazine that he made the flaw publicly available because there is no excuse for simple website mistakes.

Andy IT Guy…
Why Compliance is Chosen over Security
In this post, Andy discusses an article by Kevin Beaver about how the business continues to choose compliance over true security even though the security people know that it’s a bad idea. Andy says those who do understand still are not doing a good job translating the danger into a language that the business understands. He says the cost/benefit trade-off is not enough for management to buy—they would rather accept the risk, take the chance and deal with the consequences. Also, there is no guarantee that Security X will prevent a breach but you can be sure that it will quiet possibly break something and/or cause lots of user issues.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 5/10

Posted by hyperguard on May 14, 2010

Study on Security in Cloud Computing Shows Angst, Rogue Users
According to a new study, many IT professionals in Europe and the U.S. acknowledge that cloud computing risks are being ignored by some employees who may already be using cloud services. Those surveyed said that some parts of the organization may be using cloud computing services without their knowledge. More than 50% of respondents in the U.S. said their organization is unaware of all the cloud services deployed in their enterprise. The survey also found that many organizations had a lack of understanding of who is ultimately responsible for ensuring security of data in cloud computing environments.

The Register…
White House Devs Overlooked Drupal Vulnerability
This week, a researcher uncovered a potentially serious vulnerability in the open-source content management system used by the White House website and thousands of other sites. The cross-site scripting (XSS) bug resides in the Drupal Context module, a plug-in that Whitehouse.gov and about 10,000 other sites use to manage how content is viewed on their sites. According to an advisory, the flaw allows attackers to inject malicious scripts into login pages that will reset the site’s administrative password.

Cloud Computing: Security’s Friend and Enemy
At last week’s All About the Cloud conference, Marc Olesen, Senior Vice President and General Manager of McAfee, said the cloud is our friend and our enemy. According to Marc, by attacking cloud security in three ways: security from the cloud, security in the cloud and security for the cloud, there’s a better chance at preventing threats before they cause issues. A recent post by Chris Hoff also looks at these three models. In the cloud refers to security products, solutions and technology deployed within cloud computing environments such as firewalls. For the cloud includes security services that are specifically targeted toward securing other cloud computing services, and are delivered by providers. By the cloud refers to security services delivered by cloud computing services which are used by providers in option #2 which often rely on those features described in option #1. Think of basically any service that brands itself as ‘cloud.’

Posted in Highlights | Leave a Comment »

Strong Passwords for Developers

Posted by hyperguard on May 13, 2010

Came across a new blog this week—EthicalHack.co.uk that we wanted to share with our readers.   It is written by Vishal Garg, and dedicated to application (hacking) security.  A great read, and definitely worth following.

That being said, we wanted to highlight Vishal’s latest post on web application designers and developers choosing strong passwords for web applications.  This topic is usually discussed from the end user’s point of view—not from the developers—and all too many times weak passwords are being implemented.  This in turn requires end users to choose strong passwords, which they tend to be faulty of.  Vishal provides four helpful tips to consider when implementing strong password policies within web applications:

1. Password Complexity

A strong password should contain characters from at least three of the following four categories (although implementing all four would be even better):

  • Upper case letters (A through Z)
  • Lower case letters (a through z)
  • Numbers (0 through 9)
  • Non-alphanumeric characters (e.g. !”£$%^&*@#?+ etc.)

2. Password Uniqueness

A strong password should enforce uniqueness of characters—avoid character repetition, number and character sequences, full or part of the password that is the same as the user name or common dictionary words.

3. Password Length

Password length is directly proportion to the amount of time required to crack the password.  Although the optimum length to hinder most password cracking attempts is considered to be more than 14 characters, but implementing a policy that requires minimum eight characters along with above requirements would still be sufficient to stop most of the attacks.

4. Password Aging and Expiry

Password aging and expiry may be considered for high profile web sites.  But this requirement needs to be considered very carefully.  If implemented poorly, this may prove to be counterproductive; e.g. asking users to change passwords very frequently may prompt them to choose weak passwords (e.g. Password1 – a password meeting first three complexity requirements, but still considered a weak password), or to write their password somewhere.  If considered carefully, strong password implementation policies would prevent users from choosing weak passwords and help prevent compromise of user accounts through brute force attacks.

Posted in Post | Tagged: , , | Leave a Comment »

Weekly Industry Round-up, Week of 5/3

Posted by hyperguard on May 7, 2010

Bank Info Security…
Tippett’s Top 10 Security Predictions
In this post, Peter Tippett, head of Verizon’s information security team says security protection in the next 10 years will become more effective and widespread. Peter shared his 2010 predictions and some of them were quite interesting. Threats will emerge that we haven’t thought of yet, and we will need to find new ways to beat the cyber criminals, but the overall security climate will get better. He also predicts that more security services will become part of the cloud, and many of the basics will be included in the pipe. Software-as-a Service (SaaS) and numerous, diverse cloud services will dominate the software, storage, and computer-platform delivery models. Providers will provide better security features and controls than the current excess of diverse and individually deployed enterprise systems.

Cloud Computing is More Secure than You Think
There has been debate on whether cloud services are sophisticated enough to handle mission-critical applications reliably and securely. Roger Grimes says they are, and choosing one or more cloud service could actually reduce expense and security risks for the average company. He says most of the computer security problems we’ll face in the future will be similar today’s threats, but it will take a new amount of effort to contain the problem and apply the fix.

Rational Survivability…
Dear SaaS Vendors: If Cloud Is The Way Forward & Companies Shouldn’t Spend $ On Privately-Operated Infrastructure, When Are You Moving Yours To Amazon Web Services?
Chris Hoff discusses how Software as a Service (SaaS) vendors often say that infrastructure is irrelevant, and that cloud computing has fundamentally changed the way we consume computing resources. However, many SaaS providers continue to build their software and choose to run it in their own datacenters on their own infrastructure. He feels it is hypocritical for SaaS vendors to convince others to move their software when they haven’t done the same.

Posted in Highlights | Leave a Comment »

Weekly Industry Round-up, Week of 4/26

Posted by hyperguard on April 30, 2010

Ponemon Institute…
eWEEK and Dark Reading discussed two reports issued by the Ponemon Institute this week. The first, commissioned by Imperva and WhiteHat Security, found that 70 percent of the respondents felt their organizations do not allocate sufficient resources to secure critical Web applications. The results show that 73 percent said senior executives were not strongly supporting Web app security efforts. To resolve this issue, communication between security operations and app development teams will need to improve.

The second, sponsored by security vendor PGP, found that a data breach in the United States could cost enterprises twice as other countries because of stringent regulations. In the U.S., where 46 states have introduced laws forcing organizations to publicly disclose the details of breach incidents, the cost per lost record was 43 percent higher than the global average. In Germany, where equivalent laws were recently passed, costs were second highest. In Australia, France, and the U.K., where data breach notification laws have not yet been introduced, costs were all below the average.

Engaging Your Staff in Data Protection
While breaches cannot be eliminated, staff engagement in a data protection program can help reduce risk. For data protected by state or federal laws, such as social security number (SSN), personal credit card numbers (CCN), or protected health information (PHI) there typically legally required notification requirements, and potentially fines. If you are dealing with credit cards, you also have to conform to PCI-DSS, otherwise your merchant status is at risk. To help engage staff in data protection, employees should know processes and understand data classifications. Companies should also think about what messages to send that that will encourage staff to take ownership for protecting the information.

Zero Day…
Serious XSS flaw haunts Microsoft SharePoint
It seems that every week we are hearing about cross-site scripting (XSS) attacks affecting another company. This week, Microsoft’s security response team confirmed the existence of a serious XSS vulnerability in the Microsoft SharePoint Server 2007 product. The vulnerability, which can be exploited via the browser, could allow a malicious hacker to execute arbitrary JavaScript code within the vulnerable application. Microsoft said it was aware of the issue and promised to issue guidance for affected customers.

Posted in Highlights | Leave a Comment »

art of defence Integrates hyperguard with WhiteHat Sentinel

Posted by hyperguard on April 29, 2010

We recently announced a partnership with WhiteHat Security to integrate hyperguard and the WhiteHat Sentinel website vulnerability management service. Enterprises, web hosting and cloud service providers are able to mitigate risk across any production website. Ideal for the unique cloud computing environment, customers can combine WhiteHat Sentinel’s SaaS-based website vulnerability management capabilities with art of defence’s software-based dWAF for a highly-targeted vulnerability remediation solution that enables organizations to obtain quick, easy protection from Web application attacks.

Companies that use both solutions will be able to take advantage of “virtual patching” functionality and mitigate website vulnerabilities quickly, limiting exposure to exploits. Depending on the severity level, administrators of hyperguard are able to implement a specific rule-set suggestion into protection mode immediately or test it first in ‘detect only’ mode. As a result, they always maintain control over hyperguard’s detect or protect settings, preventing accidental blocking of good Web traffic. hyperguard’s entire architecture was carefully designed to ensure that it can be integrated as flexibly and seamlessly as possible into existing security and Web infrastructures, including cloud-based services, with no disruptions or interference in service.

Follow the discussion on Twitter @hyperguard and @Whitehatsec

Posted in Post | Leave a Comment »

Weekly Industry Round-up, Week of 4/19

Posted by hyperguard on April 23, 2010

Around the blogosphere…
There has been a lot of discussion this week around Microsoft’s plans to fix an Internet Explorer 8 cross-site scripting problem. Microsoft will plug a hole in a built-in filter in IE8 that can be used to launch the very types of attacks on Web sites it was designed to help prevent. The company will update the IE cross-site scripting (XSS) filter in June to fix a hole that researchers warned about at last week’s Black Hat Europe conference. The researchers showed how problems with the filter could be used to inject malicious code onto sites including Google, Microsoft’s Bing search site and Twitter. Check out articles on this issue at CNET, Computerworld and ZDNet.

eSecurity Planet…
Cloud Faces Security Challenges
David Needle discusses whether cloud computing adoption is hurt by security issues, compliance concerns or just a poorly chosen name. These issues were recently raised during a panel on cloud security at the AlwaysOn OnDemand conference. Some of the panelists said the term ‘cloud’ has hurt the concept because it takes a business process and makes it sound “out there.” Others argued that it’s about governance and control issues. Security is a high concern for many companies, but it’s not the only reason they have not moved applications to the cloud yet.

10 Most Dangerous Web App Security Risks
As we mentioned earlier in the week, OWASP announced an update to its list of the most dangerous issues facing Web app developers. This slideshow presents the Top 10 vulnerabilities impacting Web applications and some advice from OWASP as to what Web developers and IT managers can do to stop these security threats.

Posted in Highlights | Leave a Comment »

hyperguard Covers PCI DSS’ New “Un-validated Redirects and Forwards” Risk

Posted by hyperguard on April 21, 2010

You have probably heard that the PCI DSS requirement 6.5 has been impacted by the updated OWASP’s Top 10 Web application risk ranking. Specifically, new risks “security misconfiguration” and “un-validated redirects and forwards” have been added to list. As stated in the PCI DSS standard,

“The vulnerabilities listed at 6.5.1 through 6.5.10 were current in the OWASP guide when this version of PCI DSS [1.2] was published [July, 2009]. However, if and when the OWASP guide is updated, the current version must be used for these requirements.”

We’re not particularly happy with the “security misconfiguration” addition since – at least in the current formulation and examples. This topic appears to be a bit too general, as examples listed in the recommendations also cover hardening of operating systems, which is certainly important but perhaps not in the core of web application security. However, if restricted to applications, hyperguard – configured properly – does protect against the typical attack vectors lists, such as unauthorized access to unused pages or un-patched flaws.

On the other hand, the “un-validated redirects and forwards” is one hyperguard has protected users against for a long time. As our customers know, hyperguard has a proud history of security far beyond OWASP recommendations.

Here’s how you can cover your compliance issues for the new “un-validated redirects and forwards” Top 10 risk:

  1. Use the hyperguard Whitelist Handler and validate all parameters used in URLs. For example the url=evil.com in the request http://www.example.com/redirect.jsp?url=evil.comThe Whitelist Handler validates attributes of HTTP requests (in URLs and also the HTTP Post request body). An argument is ONLY valid if it matches with a regular expression set in the Protected-Form-Fields settings.If the parameters do not match with the existing regular expressions for the protected input fields, the configuration item “allow-unknown-form-fields” can be setup to unconditionally allow them. If this option is not activated, hyperguard will reject the request – with an error code. Unconditionally allowed requests are flagged in the log files, this information can be used by the administrator to further enhance the managed whitelist.
  2. For output checks on redirects, use hyperguard’s Script Handler to define the target of a redirect and to define which domain(s) are permitted.

This will take care of your compliance issue with the “un-validated redirects and forwards” OWASP risk. Our technical team is available for further help with this issue – just email us and we’ll sort out your issues: info@artofdefence.com

Follow this discussion on Twitter @hyperguard

Posted in Post | Tagged: , , , | Leave a Comment »