Hyperguarding your Web Applications

Posts Tagged ‘Web Application Security’

OWASP Updates Top 10 List

Posted by hyperguard on April 19, 2010

Today, OWASP announced an updated list of the top 10 risks associated with the use of web applications in an enterprise.  This is the first time the list has been updated since 2007. The report explains these risks to software developers and managers to help organizations better secure their Web applications and services.

OWASP Top Ten List:

  • Injection
  • Cross-Site Scripting (XSS)
  • Broken Authentication and Session Management
  • Insecure Direct Object References
  • Cross-Site Request Forgery (CSRF)
  • Security Misconfiguration
  • Insecure Cryptographic Storage
  • Failure to Restrict URL Access
  • Insufficient Transport Layer Protection
  • Unvalidated Redirects and Forwards

Two risks were removed from the list—malicious file execution because it has become a less prevalent issue and information leakage and improper error handling because its impact is typically minimal.

Security misconfiguration and un-validated redirects and forwards are new to the list. Security misconfiguration was added because good security requires having a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. According to OWASP, all these settings should be defined, implemented, and maintained as many are not shipped with secure defaults—this includes keeping all software up to date.

Un-validated redirects and forwards were added because Web applications frequently redirect and forward users to other pages and websites and use un-trusted data to determine the destination pages. Without proper validation, attackers can redirect victims to phishing or malware sites or use forwards to access unauthorized pages.

The report also includes how to assess the possibility that your Web application could be at risk and offers some mitigation tips. Download the full report here.

Posted in Post | Tagged: , , | Leave a Comment »

Is Progress Being Made as CSA?

Posted by hyperguard on March 10, 2010

The Cloud Security Alliance (CSA) released yet another paper at the RSA conference this year— Top Threats to Cloud Computing.  This document is in relation to the recent CSA paper, Security Guidance for Critical Areas in Cloud Computing, v2 that was updated in December 2009.  Since the v2 update and the release of the top threats document, the organization has fallen short to provide the industry with actual use-cases that illustrates true deployment scenarios of cloud computing environments, especially those 13 domains identified.  Enterprises that are planning or who have actually made the leap to cloud computing environments are desperately seeking options to secure their services.

According to a recent Gartner report, organizations will spend more of their IT budget on private cloud computing, than public cloud computing through 2012.  As the industry continues to move forward with cloud computing, particularly to a private cloud, need for use-cases is critical and timely for these companies, and a one-size fits all approach will not suffice.  Thomas Bittman points out in his blog post, Cloud Computing: Through a Glass, Darkly, the key to private cloud computing is spending time with the design process and ensuring the architecture gives them enough flexibility to adjust as needed.  This couldn’t be any truer from a security standpoint, and even more of a reason for a use-case paper.

Follow this discussion on Twitter @hyperguard

Posted in Post | Tagged: , , | Leave a Comment »

Top Security Perils When Moving an Application to the Cloud: Web App Security Challenges

Posted by hyperguard on January 4, 2010

Moving along with our series, we’ve identified general web app security challenges as our fourth peril. As internal users were trusted, the application had not been exposed to such things like security source code reviews or security vulnerability tests in general.  The challenges mentioned up until now are common issues noted by the OWASP Top 10.  There are more very likely vulnerabilities to make the list, such as Cross Site Scripting, and many more that have not made the OWASP Top 10 yet.  Regular Source Code Audits/Vulnerability Assessments and the use of embedded or external WAFs can prevent these vulnerabilities.

Follow the discussion on Twitter @hyperguard.

Posted in Post | Tagged: , , | Leave a Comment »

Top Security Perils When Moving an Application to the Cloud

Posted by hyperguard on December 28, 2009

Hyperguarding your Web Applications is starting a series of posts showing you the top security perils of forcing applications onto the cloud that weren’t specifically designed for it.

Here’s a typical situation…applications are built from the ground up using programming languages, such as PHP, JAVA or .NET by an internal development team or a third party vendor with the notion of For Internal Use Only in mind.  There is a general assumption by development teams that users can always be trusted, the application will be used ‘as intended’ and all information (i.e. user data) and content (i.e. product data from databases or ERP systems) are coming from safe and secure sources.  Until now, there have never been security issues with applications.

As cloud computing becomes more favorable among companies, they are forcing their applications out of the internal network in to the cloud, causing them to be vulnerable to Web threats.  If the application, or parts of the application, is moved in to the cloud, there will be typically less security within the infrastructure and several more users will be accessing it.  Therefore vulnerabilities turn up and hacks occur.

Every few days we will post typical challenges enterprises face when moving an application to the cloud —so check back often.

Follow the discussion on Twitter @hyperguard.

Posted in Post | Tagged: , | 2 Comments »

67 Days to Fix a Serious Web Vulnerability?

Posted by hyperguard on November 16, 2009

We recently heard some startling information—WhiteHat reported it takes the industry an average of 67 days to fix Cross-Site Scripting (XSS) issues! They shared this fact during a presentation revealing research on the progress companies are making in Web application security.

According to Jeremiah Grossman, WhiteHat found that 83% of websites have had at least one serious vulnerability. 64% of websites currently have at least one serious vulnerability, the most prevalent being XSS. Although awareness of XSS is building and they know how to fix it, Jeremiah says it still takes time to fix the issue. If an organization has a vulnerability for 67 days, it can create a downturn for the website or a loss in revenue. Why is it difficult for some companies to resolve vulnerabilities quickly? This can happen for a number of reasons including the coding is old and no one currently at the organization can maintain it, the code was outsourced or the error does not cause a compliance violation and it gets overlooked.

The presentation went on to say that only 30 to 60% of vulnerabilities ever get fixed. Although there is awareness for web application problems, there is not enough being done about them.  Imagine how an ecommerce site would suffer during the holiday season if it had a web vulnerability for 67 days!  This is a common issue and one the cloud computing industry is particularly susceptible to. One of the major uses for cloud services right now is overflow services during holidays and other abnormally high web traffic periods. This is the reason we have created made hyperguard SaaS for Amazon Web Services available – to allow companies to extend protection into the cloud.

Posted in Post | Tagged: , | 1 Comment »

Weekly Industry Round-up: Week of November 9th

Posted by hyperguard on November 13, 2009

Around the Blogosphere…
This week we’ve been on the ground at the OWASP AppSecDC Conference, where the Top 10 Most Critical Web Application Security Risks have been made available as a release candidate.  The new top 10 is about risks, not just vulnerabilities.  Our friend, Jeremiah Grossman shared the OWASP document and posted comments live from the show.  It will be interesting to see how these new risks will impact the industry—such as PCI compliance and the Cloud Security Alliance.  Check out #OWASP for real time commentary.

Dark Reading…
New Security Certification On The Horizon For Cloud Services
Writer, Kelly Jackson Higgins speaks with Jim Reavis, co-founder and executive director of the Cloud Security Alliance about the need for security certification for cloud security service providers.  Some are currently using SAS 70 and ISO 27001, but experts say neither is sufficient for providing potential cloud customers with assurances that the provider has deployed proper security or that their data is sufficiently locked down.  According to Reavis we should expect the industry to move forward with this certificate around the first quarter of 2010.

SearchSecurity.com…
Web Application Vulnerability Assessment Shows Patching Progress
In this article, Robert Westervelt discusses how companies are making progress in Web application security. According to the latest research by WhiteHat Inc., they found a 61% vulnerability resolution rate, which is a slight increase. There is still much work that needs to be done since 64% of websites contain at least one serious vulnerability. WhiteHat is now focusing on figuring out what works for companies that are resolving the most serious vulnerabilities quickly.

Dark Reading…
Cost, Strength Of Security Drive Users Toward SaaS Offerings
Using an excerpt from Dark Reading’s report, Security Software as a Service: Navigating The New MSSP Landscape”, Charlotte Dunlap investigates the pros and cons of security SaaS and provides tips on choosing the right provider.  She also cites an interesting study conducted by Infonetics Research— 81 percent of respondents said improving the strength of the enterprise’s security is the No. 1 reason for moving to the SaaS model.  Other top reasons cited: cost, time to deploy, and centralized management.   One key point: 82 percent of those surveyed plan to use SaaS offerings to augment, not replace, their existing security deployments.  This is a great overview of businesses’ perceptions of SaaS and their intent to move to the cloud.  For more information on this topic, download Dark Reading’s report here.

SC Magazine…
Vulnerability Assessment Integration with Web Application Firewalls
This article by Jeremiah Grossman discusses how even for proactive organizations, finding and fixing flaws in website code is a complex, time and resource intensive task. He provides a must-have checklist for organizations that includes production-safe scanning, accuracy, a precise reporting format, assessment repeatability, WAF/IDS SSL support and flexible and actionable rules. It would be ideal if a 100 percent secure code was developed, but until then Jeremiah says the integration of website vulnerability assessment and Web application firewalls allow IT security professionals to have control over website security. Having the right solution can noticeably improve how an organization handles and overcomes web vulnerability.

Posted in Highlights | Tagged: , , | Leave a Comment »

dWAF as SaaS available through AWS

Posted by hyperguard on November 10, 2009

Today we announced hyperguard SaaS—the industry’s first dWAF as a SaaS through Amazon Web Services (AWS).  AWS customers or solution providers can protect applications by applying hyperguard SaaS either as software plug-in to an existing web server Amazon Machine Image (AMI), or by using AoD’s custom AMI.  The solution solves the limitations of traditional WAFs being forced to secure cloud applications, which they weren’t specifically designed for.

It is highly scalable and ideal for virtualized resources—AoD hosts the resource-heavy pieces of the dWAF on Amazon EC2 and leaves just a small footprint on the customer’s AMI. Therefore, hyperguard scales simply with the number of web server AMIs that run the customer’s application being protected without a need to purchase additional AMIs.  This allows customers to pay on a use-case basis and avoid investing in intensive solutions.

hyperguard SaaS provides web application security monitoring, detection-only and protection modes. For additional information or to test the service for free go to http://aws.artofdefence.com

Posted in Post | Tagged: , , , , | Leave a Comment »

60 Minutes & IT Security???

Posted by hyperguard on November 9, 2009

Yes, last night, CBS (Steve Croft) looked at IT threats to the government and public infrastructure. Stories most of us know by hart – electrical grid, government network, etc. – were covered quite well. Lot’s of people are talking about the importance of mainstream media finally looking at this issue. Data Security Podcast for example.

There have been discussions of tainted thumb drives used by government employees, however, the application side is much more of an issue – particularly with major systems looking at cloud computing as a way to reduce costs for running such systems. Web application security is at the heart of this issue.

Security is and has always been about layers, and this is underlined by applications being moved to the cloud. Traditional software is exposed like never before and often cannot be patched ‘in real-time’ to accommodate actual security needs. One layer that fills this void is a WAF. Rather than a replacement for secure developing, a WAF is able to defend the cloud application until a patch can be made, tested and deployed.

Posted in Post | Tagged: | Leave a Comment »

Reaction to SearchSOA.com: Common WebAppSec exploits

Posted by hyperguard on September 17, 2009

Great article on the 16th from SearchSOA.com by Rob Barry. He interviews a developer at Mozilla Labs – Joe Walker – about a few of the OWASP Top 10 and how to develop around them. Walker’s focus as a developer is on creating / patching / managing security threats to apps. What’s missing from Barry’s article, however, is the incredible pain this approach causes companies right now.

Refactoring code once it’s in use (particularly WebApps and cloud services) is incredibly expensive, time consuming and difficult. Source code scanners play a role in easing some of this pain, although web application firewalls (WAF’s) are a much more practical fix, AND, linking the scanner software directly with the WAF cuts down the need for application downtime.

If done right, the scanner detects software vulnerabilities and feeds any findings directly into the WAF. For our distributed WAF (dWAF) solution, hyperguard, all security lapses identified by a scanner are immediately presented to the administrator through dynamic ruleset suggestions. Conflicting dWAF rulesets, which may leave holes in web application shielding, are prevented. In plain English, this means that development, testing and deployment of new application security policies can happen in real-time without ever relaxing the established defenses or risking false positives. ‘Patches’ are applied through the dWAF until regular maintenance cycles can be scheduled to refactor the actual application code.

Posted in Post | Tagged: , , , , | Leave a Comment »

Jeremiah’s Right about Scalability

Posted by hyperguard on September 1, 2009

I recently read Web security is about scalability, a very interesting post by Jeremiah Grossman of White Hat Security. He discusses the importance of scalability in overcoming today’s Web security challenges. I would like to add some of my thoughts.

It has taken the industry over 10 years to realize that when dealing with Web application vulnerabilities, they must also deal with the scalability issues these applications face. This needs to happen in parallel with normal security testing. As Jeremiah highlights the incredible scaling needed today:

“Consider that there are 240+ million websites, millions more added every month, an unknown number of Intranet Web applications, 17+ million developers, and over one billion people on the Web. Any solution capable of making a real difference must be valued by its potential worldwide impact.”

Testing a web application on a single system (how most are tested before being sent out into the world) without taking into account scalability is costly. Once that application hits it’s performance limit it usually means a redesign and rewrite of core elements to make it more scalable, changing how and what is important to test. Think of the OWASP top 10 on Jeremiah’s scale!

Cluster computing, or cloud computing, presents a remedy to developing, testing and scaling web applications in a much more practical sense.

Flip the coin to protecting the applications once they’re live and in action, and Jeremiah’s scalability point becomes painfully apparent. Web application firewall’s (WAF) are the industry standard for this purpose, however they are predominantly hardware. Hardware doesn’t scale – you have to buy another box. More boxes, more resource drain, less virtualized resources and on and on.

The article Jeremiah references in his post (check here for the white paper), outlines my view of what the market needs from a WAF.

Posted in Post | Tagged: , , , , | Leave a Comment »