Hyperguarding your Web Applications

Posts Tagged ‘web vulnerabilities’

Scanners and WAFs Work Hand-in-Hand

Posted by hyperguard on March 31, 2010

Larry Suto, an application security consultant, recently published a sequel to his 2007 best seller research about web application scanners, which drew much attention from the industry because he claimed that scanners do not perform as well as advertised.  In his sequel, Larry elaborates and updates his initial findings by testing various vendors solutions, such as, Acunetix, Portswigger.net BurpSuitePro, Cenzic’s Hailstorm, NT Objectives’ NTOSpider and among others, and found yet again that most Web application scanning tools missed vulnerabilities and generated false positives.  While Larry’s findings are quite interesting, businesses should never rely solely on a single solution.

In this particular instance, we always urge the use both scanners and WAFs for an added layer of security.  In fact, these two technologies are melding together today, as we see from the analyst community, such as, Chenxi Wang in her recent report, Web Application Firewall 2010 And Beyond.  Stand alone security solutions are almost nonexistent within the industry today.  Ofer Shezaf states in his post, WAFs are not perfect, but is any security tool perfect? no single security solution is sufficient—only combining multiple defense mechanisms would provide adequate security, which still does not imply 100%.


Posted in Post | Tagged: , , , | Leave a Comment »

External Hacks are More Serious than You Think

Posted by hyperguard on February 3, 2010

If you really look at security breaches you will notice that the vast majority are caused from the outside—not the inside.  Security experts and industry personnel have led us to believe that disgruntled employees, misplaced documents, flash drives and devices and sheer management policies are more prevalent than hackers.  Well guess again.  We spoke to art of defence’s Sebastian Haase on this and he shared with us that this is not necessarily the case.  Yes—internal breaches do occur and they are serious, but so are external hacks, particularly those to the web application layer.  If you look at Jeremiah Grossman’s presentation, Web Vulnerabilities Revealed: What everyone knew, but afraid to believe, you will read startling web vulnerabilities statistics based on the OWASP Top Ten and realize that these weakness are clear openings for hackers.

According to Jeremiah’s presentation, 9 out of 10 websites have serious vulnerabilities and sites with urgent, critical or high severity issues will not pass PCI compliance—a major concern for financial services, retail and e-commerce.  Another consideration to think about is the amount of time it takes to fix vulnerability—67 days!  This known weakness heightens the situation for companies and increases the chance of a severe breach.  It is important to shield applications from web vulnerabilities with a distributed web application firewall (dWAF) and protect against widespread external hacks.

Follow this conversation on twitter @hyperguard

Posted in Post | Tagged: , , , , | 1 Comment »

OWASP Top 10 Release Candidate 2010— OWASP Podcast Interview

Posted by hyperguard on November 25, 2009

On episode 54 of the OWASP podcast, OWASP chapter head for Germany, Georg Hess and CEO and co-founder of art of defence speaks with Matt Tesauro at the OWASP’s AppSecDC show on the top 10 release candidate 2010 and the impacts it will have on the industry.

Listen here for OWASP insight on the release candidate.

Posted in Post | Tagged: , , , | Leave a Comment »

Weekly Industry Round-up: Week of 11/16

Posted by hyperguard on November 20, 2009

CSO Online…
The Cloud Security Survival Guide
This article by Bill Brenner provides a collection of articles, columns and audio to help IT security practitioners and companies that are increasingly dependent on cloud services. Defining Cloud Security: 6 Perspectives, Cloud Computing: Make the Right Choices, and Why Security Pros Have Their Heads in the Cloud are just some of the pieces worth looking into.

Andy IT Guy…
Building a Security Program from the Ground Up
In this post, Andy asks readers to think about what would be the first and second thing that they would implement if they were starting a new position and had full say on building a security program. Andy says if he were in that position, the first thing he would implement is a monitoring system to have some insight into what is going on. Once that was in place he would implement a Vulnerability Management program that starts with Application and OS patching and then focus on the scanning, testing, exploiting etc.  As that is being rolled out he would work on getting a good Security Awareness Training program to help users understand the risks. What would you do?

Dark Reading…
Microsoft Report: Worms Rise, New Vulnerabilities Decline
In this article, Kelly Jackson Higgins discusses Microsoft’s latest report, which states that worms are on the rise as new vulnerabilities decline. Version 7 of Microsoft’s Security Intelligence Report (SIR) found that worms are now the number two threat, behind Trojans. It also found that the total number of reported vulnerabilities in the industry decreased by nearly 30 percent from the second half of ’08, with fewer than 2,500 new vulnerabilities disclosed in the first half of this year versus over 3,000 in the last half of last year.

Tech News World…
Certified Ethical Hacker: Not Your Everyday Job
This post by Ryan Corey discusses how some hackers are in the business of improving security. Certified Ethical Hackers are paid by companies and government agencies to test their computer systems against the sort of attacks “the bad guys” often attempt to pull off. These Certified Ethical Hackers play a serious role in the prevention of malevolent cyberattacks on businesses, government and military. As the potential threat toward any network, server or database is always a possibility; the profession of ethical hacking can grow.

Posted in Highlights | Tagged: , , | Leave a Comment »