Hyperguarding your Web Applications

Posts Tagged ‘OWASP’

hyperguard Covers PCI DSS’ New “Un-validated Redirects and Forwards” Risk

Posted by hyperguard on April 21, 2010

You have probably heard that the PCI DSS requirement 6.5 has been impacted by the updated OWASP’s Top 10 Web application risk ranking. Specifically, new risks “security misconfiguration” and “un-validated redirects and forwards” have been added to list. As stated in the PCI DSS standard,

“The vulnerabilities listed at 6.5.1 through 6.5.10 were current in the OWASP guide when this version of PCI DSS [1.2] was published [July, 2009]. However, if and when the OWASP guide is updated, the current version must be used for these requirements.”

We’re not particularly happy with the “security misconfiguration” addition since – at least in the current formulation and examples. This topic appears to be a bit too general, as examples listed in the recommendations also cover hardening of operating systems, which is certainly important but perhaps not in the core of web application security. However, if restricted to applications, hyperguard – configured properly – does protect against the typical attack vectors lists, such as unauthorized access to unused pages or un-patched flaws.

On the other hand, the “un-validated redirects and forwards” is one hyperguard has protected users against for a long time. As our customers know, hyperguard has a proud history of security far beyond OWASP recommendations.

Here’s how you can cover your compliance issues for the new “un-validated redirects and forwards” Top 10 risk:

  1. Use the hyperguard Whitelist Handler and validate all parameters used in URLs. For example the url=evil.com in the request http://www.example.com/redirect.jsp?url=evil.comThe Whitelist Handler validates attributes of HTTP requests (in URLs and also the HTTP Post request body). An argument is ONLY valid if it matches with a regular expression set in the Protected-Form-Fields settings.If the parameters do not match with the existing regular expressions for the protected input fields, the configuration item “allow-unknown-form-fields” can be setup to unconditionally allow them. If this option is not activated, hyperguard will reject the request – with an error code. Unconditionally allowed requests are flagged in the log files, this information can be used by the administrator to further enhance the managed whitelist.
  2. For output checks on redirects, use hyperguard’s Script Handler to define the target of a redirect and to define which domain(s) are permitted.

This will take care of your compliance issue with the “un-validated redirects and forwards” OWASP risk. Our technical team is available for further help with this issue – just email us and we’ll sort out your issues: info@artofdefence.com

Follow this discussion on Twitter @hyperguard

Advertisements

Posted in Post | Tagged: , , , | Leave a Comment »

OWASP Updates Top 10 List

Posted by hyperguard on April 19, 2010

Today, OWASP announced an updated list of the top 10 risks associated with the use of web applications in an enterprise.  This is the first time the list has been updated since 2007. The report explains these risks to software developers and managers to help organizations better secure their Web applications and services.

OWASP Top Ten List:

  • Injection
  • Cross-Site Scripting (XSS)
  • Broken Authentication and Session Management
  • Insecure Direct Object References
  • Cross-Site Request Forgery (CSRF)
  • Security Misconfiguration
  • Insecure Cryptographic Storage
  • Failure to Restrict URL Access
  • Insufficient Transport Layer Protection
  • Unvalidated Redirects and Forwards

Two risks were removed from the list—malicious file execution because it has become a less prevalent issue and information leakage and improper error handling because its impact is typically minimal.

Security misconfiguration and un-validated redirects and forwards are new to the list. Security misconfiguration was added because good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. According to OWASP, all these settings should be defined, implemented, and maintained as many are not shipped with secure defaults—this includes keeping all software up to date.

Un-validated redirects and forwards were added because Web applications frequently redirect and forward users to other pages and websites and use un-trusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites or use forwards to access unauthorized pages.

The report also includes how to assess the possibility that your Web application could be at risk and offers some mitigation tips. Download the full report here.

Posted in Post | Tagged: , , | Leave a Comment »

External Hacks are More Serious than You Think

Posted by hyperguard on February 3, 2010

If you really look at security breaches you will notice that the vast majority are caused from the outside—not the inside.  Security experts and industry personnel have led us to believe that disgruntled employees, misplaced documents, flash drives and devices and sheer management policies are more prevalent than hackers.  Well guess again.  We spoke to art of defence’s Sebastian Haase on this and he shared with us that this is not necessarily the case.  Yes—internal breaches do occur and they are serious, but so are external hacks, particularly those to the web application layer.  If you look at Jeremiah Grossman’s presentation, Web Vulnerabilities Revealed: What everyone knew, but afraid to believe, you will read startling web vulnerabilities statistics based on the OWASP Top Ten and realize that these weakness are clear openings for hackers.

According to Jeremiah’s presentation, 9 out of 10 websites have serious vulnerabilities and sites with urgent, critical or high severity issues will not pass PCI compliance—a major concern for financial services, retail and e-commerce.  Another consideration to think about is the amount of time it takes to fix vulnerability—67 days!  This known weakness heightens the situation for companies and increases the chance of a severe breach.  It is important to shield applications from web vulnerabilities with a distributed web application firewall (dWAF) and protect against widespread external hacks.

Follow this conversation on twitter @hyperguard

Posted in Post | Tagged: , , , , | 1 Comment »

WAF in the Cloud

Posted by hyperguard on January 22, 2010

Fellow OWASP member, Ofer Shezaf, recently presented at a chapter meeting, and gave an overview of how WAFs interact with cloud computing—both using the cloud and protecting cloud based applications.  During his presentation he discussed the following scenarios:

  • Enterprise Security Gateway
  • WAF as a service: For protecting a data center or SaaS
  • WAF for a cloud deployment: Host Based or Infrastructure Based
  • WAF stubs

Mentioned in his presentation and also in an earlier post, Ofer notes that the two challenges facing WAFs in the cloud are bandwidth and complexity, however, art of defence has tacked these problems with hyperguard and meets XIOMs definition of a true WAF.

Ofer mentions hyperguard SaaS for AWS within his presentation, and notes that many well-known WAFs are actually lacking simply at signatures and hardly true WAFs.  What is considered a true WAF for the cloud?

Xiom is a great source of information for WAFs and resource to our readers, check out Ofer’s blog at http://www.xiom.com/ and view his entire presentation under our ‘Resources’ tab

Follow this discussion on Twitter @hyperguard

Posted in Post | Tagged: , , | Leave a Comment »

OWASP Top 10 Release Candidate 2010— OWASP Podcast Interview

Posted by hyperguard on November 25, 2009

On episode 54 of the OWASP podcast, OWASP chapter head for Germany, Georg Hess and CEO and co-founder of art of defence speaks with Matt Tesauro at the OWASP’s AppSecDC show on the top 10 release candidate 2010 and the impacts it will have on the industry.

Listen here for OWASP insight on the release candidate.

Posted in Post | Tagged: , , , | Leave a Comment »

Weekly Industry Round-up: Week of November 9th

Posted by hyperguard on November 13, 2009

Around the Blogosphere…
This week we’ve been on the ground at the OWASP AppSecDC Conference, where the Top 10 Most Critical Web Application Security Risks have been made available as a release candidate.  The new top 10 is about risks, not just vulnerabilities.  Our friend, Jeremiah Grossman shared the OWASP document and posted comments live from the show.  It will be interesting to see how these new risks will impact the industry—such as PCI compliance and the Cloud Security Alliance.  Check out #OWASP for real time commentary.

Dark Reading…
New Security Certification On The Horizon For Cloud Services
Writer, Kelly Jackson Higgins speaks with Jim Reavis, co-founder and executive director of the Cloud Security Alliance about the need for security certification for cloud security service providers.  Some are currently using SAS 70 and ISO 27001, but experts say neither is sufficient for providing potential cloud customers with assurances that the provider has deployed proper security or that their data is sufficiently locked down.  According to Reavis we should expect the industry to move forward with this certificate around the first quarter of 2010.

SearchSecurity.com…
Web Application Vulnerability Assessment Shows Patching Progress
In this article, Robert Westervelt discusses how companies are making progress in Web application security. According to the latest research by WhiteHat Inc., they found a 61% vulnerability resolution rate, which is a slight increase. There is still much work that needs to be done since 64% of websites contain at least one serious vulnerability. WhiteHat is now focusing on figuring out what works for companies that are resolving the most serious vulnerabilities quickly.

Dark Reading…
Cost, Strength Of Security Drive Users Toward SaaS Offerings
Using an excerpt from Dark Reading’s report, Security Software as a Service: Navigating The New MSSP Landscape”, Charlotte Dunlap investigates the pros and cons of security SaaS and provides tips on choosing the right provider.  She also cites an interesting study conducted by Infonetics Research— 81 percent of respondents said improving the strength of the enterprise’s security is the No. 1 reason for moving to the SaaS model.  Other top reasons cited: cost, time to deploy, and centralized management.   One key point: 82 percent of those surveyed plan to use SaaS offerings to augment, not replace, their existing security deployments.  This is a great overview of businesses’ perceptions of SaaS and their intent to move to the cloud.  For more information on this topic, download Dark Reading’s report here.

SC Magazine…
Vulnerability Assessment Integration with Web Application Firewalls
This article by Jeremiah Grossman discusses how even for proactive organizations, finding and fixing flaws in website code is a complex, time and resource intensive task. He provides a must-have checklist for organizations that includes production-safe scanning, accuracy, a precise reporting format, assessment repeatability, WAF/IDS SSL support and flexible and actionable rules. It would be ideal if a 100 percent secure code was developed, but until then Jeremiah says the integration of website vulnerability assessment and Web application firewalls allow IT security professionals to have control over website security. Having the right solution can noticeably improve how an organization handles and overcomes web vulnerability.

Posted in Highlights | Tagged: , , | Leave a Comment »

Weekly Industry Round-up: Week of November 2nd

Posted by hyperguard on November 6, 2009

Online Security Authority…
Building Security Into Your Organizations Web Applications to Begin With
This post discusses the importance of Web application protection being the chief component in the Web application development process and having it integrated from the ground up. It suggests the essential trick is a modification of attitude and awareness among the company software developers. Security imperfections should be viewed as only another category of application defect. During the entire process of software development, the focus must be on addressing the ever-changing potential for deficiencies, and the perception of new vulnerabilities and exploitation strategies.

CIO…
Six Steps to Pull App Security Back to the Future
Bill Brenner speaks with fellow OWASP member Matt Fisher about some of the key problems with app security today and together they drive in to six different ways to change these. Bill wrote this article in conjunction with the upcoming OWASP show, AppSecDC. This is a great read; provides helpful background information and links to other app security articles.

Dark Reading…
Tech Insight: Managing Vulnerability In The Cloud
Writer, Curt Franklin explores the common issue, how do you manage vulnerabilities in your IT infrastructures when it is in the cloud? Although this is in your provider’s hand, Curt provides readers with some best practices and tips for controlling it.

Posted in Highlights | Tagged: , , , , | Leave a Comment »

OWASP AppSecDC

Posted by hyperguard on October 16, 2009

It’s getting closer to OWASP’s AppSecDC show, Nov 10-13, and this year’s show will feature the announcement of an updated Top 10 web vulnerabilities list for the first time since 2007. This list impacts the entire WebAppSec industry and there are a number of interesting effects anticipated here.

How will these updates impact PCI-DSS which is currently in the process of redefining requirements for a virtualized market? The OWASP Top 10 forms an important part of PCI so any updates are sure to have an impact.

What impact will this have on the Cloud Security Alliance’s (CSA) guidelines for the industry? Again, they factored the Top 10 in predominantly. The CSA is preparing an update of these guidelines before the end of the year. Our Alex Meisel is contributing heavily this time around to the WAF section.

If you’re going and would like to meet up with Art of Defence’s Georg Hess, leave a comment and we’ll get you on his calendar.

Hope to see you in DC!

Posted in Post | Tagged: , | Leave a Comment »

Exposed to XSS? Regain Your Composure (and Security)

Posted by hyperguard on September 22, 2009

I recently read a very interesting article, Tech Insight: XSS Exposed, by Dark Reading’s John Sawyer. He discusses how a cross-site scripting (XSS) attack can steal a user’s credentials, exploit their Web browsers and take action on their behalf without their knowledge. I wanted to add some of my thoughts on this article and share ways users can prevent and protect themselves against these attacks.

As stated in the article, XSS is always caused by missing input validation, the place where hyperguard comes into play. It scans every request (and therefore every user input) for malicious code that wants to be stored or executed. When a user is tricked into clicking a link containing XSS, the request is denied by the distributed web application firewall (dWAF) and the script will not run. Also, the script will not get stored into a database if the dWAF prohibits the request with the data from entering the web application. The problem with persistent XSS is that it is typically done on a prepared site that has bait for the victim, resulting in running malicious code.

The mechanism behind the protection that hyperguard delivers is easy and contains blacklist rules. These patterns know what an XSS looks like and causes the dWAF to deny the request. The second and more secure approach is to whitelist all input in the application. This is more work, but it helps to create a very secure web application, where every user input is validated. XSS attacks can take on many forms so you should never trust input from users.

In John’s article, he mentions OWASP’s XSS Prevention Cheat Sheet, which provides detailed information on when and where encoding should be done. XSS attacks should be taken seriously because they do happen often and can be very costly for businesses. It is important to take the necessary steps to prevent them and learn how to protect yourself if they do occur.

Posted in Post | Tagged: , , , | Leave a Comment »

Reaction to SearchSOA.com: Common WebAppSec exploits

Posted by hyperguard on September 17, 2009

Great article on the 16th from SearchSOA.com by Rob Barry. He interviews a developer at Mozilla Labs – Joe Walker – about a few of the OWASP Top 10 and how to develop around them. Walker’s focus as a developer is on creating / patching / managing security threats to apps. What’s missing from Barry’s article, however, is the incredible pain this approach causes companies right now.

Refactoring code once it’s in use (particularly WebApps and cloud services) is incredibly expensive, time consuming and difficult. Source code scanners play a role in easing some of this pain, although web application firewalls (WAF’s) are a much more practical fix, AND, linking the scanner software directly with the WAF cuts down the need for application downtime.

If done right, the scanner detects software vulnerabilities and feeds any findings directly into the WAF. For our distributed WAF (dWAF) solution, hyperguard, all security lapses identified by a scanner are immediately presented to the administrator through dynamic ruleset suggestions. Conflicting dWAF rulesets, which may leave holes in web application shielding, are prevented. In plain English, this means that development, testing and deployment of new application security policies can happen in real-time without ever relaxing the established defenses or risking false positives. ‘Patches’ are applied through the dWAF until regular maintenance cycles can be scheduled to refactor the actual application code.

Posted in Post | Tagged: , , , , | Leave a Comment »