Our blog is moving to Trustwave.com!

In case you missed it, on March 18, we announced that Cenzic has joined the Trustwave family. The acquisition brings together Cenzic’s dynamic application security testing technologies with Trustwave’s cloud-based application, database and network penetration testing and scanning services. The combination will create one of the industry’s broadest, integrated security testing platforms designed to help businesses rapidly identify and address security weaknesses, thereby significantly helping to reduce threats and risks.

Trustwave Chairman and CEO Robert J. McCullen commented on the vision and rationale behind the acquisition:

“This acquisition brings together two security leaders who understand the power automation brings to managing the aggressive and evasive threats we’re seeing today. Cenzic’s highly automated and scalable security testing platform supercharges our ability to deliver integrated testing across a high volume of applications. This acquisition marks another milestone in Trustwave’s strategy to deliver comprehensive, automated and integrated security, compliance and threat intelligence solutions to the industry-all delivered through the cloud.”

You can read the full news release here.

Now that we’re part of the larger Trustwave family, we’ll be blogging at two new locations, but still providing you with the same great insight you’ve come to expect from the original blog. Here is where you can find us now:

  • Trustwave Blog – it features news and insights, tips and tricks and other perspectives around a broad range of information security topics, including application security testing.
  • Trustwave SpiderLabs Blog – it features research and technical analysis from the SpiderLabs team, Trustwave’s elite team of ethical hackers, investigators and researchers.

Another great way to engage us is to follow Trustwave’s social media accounts: @Trustwave on Twitter, on LinkedIn and on Facebook. I encourage you to check them out.

 

Cyber Security Defenses that Address Security Breaches within the Supply Chain

No Enterprise Is An Island — And Cyber Security Defenses Shouldn’t Treat Them Like One

Each year, businesses and government organizations pour millions of dollars into cyber security defenses that are built on a single fallacy: that the enterprise can be defended like a castle. IT and security professionals create strategies that focus only on their own companies, with little or no consideration of the organizations they do business with.

Enter the headquarters of any large enterprise, and you’ll see that it is much more like an open marketplace than a castle. Each day, organizations interact — in person and online — with dozens, even hundreds of other organizations, exchanging data, making transactions, handling logistics, and obtaining needed goods and services. Virtually every enterprise is part of a vast supply chain — an industry or community — that involves many participants. Doing business with others is the very reason that these organizations exist.

Yet, most of these organizations build their cyber security defenses as if they were islands. They buy their own security technology, maintain their own security teams, set their own security policies, and monitor their defenses primarily only for themselves. They do little, if anything, to ensure that their business partners are maintaining effective defenses, or that the interdependent systems and applications of the entire supply chain are completely secure.

Cyber criminals and other attackers understand this vulnerability. Recent security breaches at Adobe, Facebook, Twitter, and The New York Times all began with compromises not in those enterprises’ own environments, but with breaches of suppliers and partners. One of the greatest security breaches in history – one which affected dozens of major retail and financial institutions and millions of consumers – began with the compromise of a single, common supplier, Heartland Payment Systems. In all of these cases, the cyber security failure took place not in the enterprise’s own defenses, but in its supply chain.

If enterprise security is ever going to improve, organizations must change their mindsets and begin to look beyond their own walls and IT domains. They must go beyond their own internal firewalls, routers and applications and look more closely at the shared infrastructure and applications that make up their lines of business. Just as they track shipments and financial transactions from source to destination, enterprises must track data across organizational borders and monitor the efficacy of all the entities which will handle it. For most organizations, supply chain security should be as important as — if not more important than — enterprise security. This mindset is not only essential in defending critical infrastructure, such as funds transfer networks or electrical grids, but in any industry where businesses rely on each other to operate.

Getting Involved With Partners

One reason that enterprises fail to get involved in supply chain defense is the mistaken belief that they cannot change the way their suppliers and partners maintain their separate defenses. But in most cases, all partners have an equal stake in maintaining security, and there are sometimes industry standards such as healthcare’s HIPAA or retail’s PCI DSS that provide a strong starting point for inter-organizational communications. But such guidelines are not enough to ensure that data is safe as it passes through the supply chain. Enterprises must also ensure that the applications that handle the data — the underlying software and infrastructure of the supply chain — is free of vulnerabilities as well.

To begin with, organizations should proactively seek ways to certify that their partners’ applications and networks are secure before allowing them to connect to the parent enterprise. Formal industry-level vendor testing programs are still in their infancy — but there are a growing number of attacks at the application, transport, and network layer. Third party testing programs and services are some of the easiest and best ways for an organization to ensure that digital connections are safe – before information flows through them.

Ideally, organizations should implement a mandated, holistic security governance initiative with their business partners. In such an initiative, developers writing software code would be trained to build security into the entire software development life cycle (SDLC), and software quality assurance and testing would ensure that all code tested meets stringent security policies set forth for doing business. Organizations could even put programs and incentives in place to reward the teams that contribute to software development, ensuring that security checks and policies are met before applications are released into production. And once the application moves into production, security checks should be part of the regimen in all of the network operations and data centers involved in the supply chain.

And it doesn’t stop there. Even when applications are operating effectively and securely, they are constantly under scrutiny by attackers looking for vulnerabilities or points of entry. Enterprises along the supply chain should persistently and continuously test their applications, monitor their status, and report on potential problems in real time, preferably through third-party certification services. Such regular assessments help to ensure that applications along the chain are clear of vulnerabilities, and help mitigate the risk of a major breach among any of the partners.

Today’s enterprises have made great strides in organizational cyber security, but as recent breaches attest, they must extend their efforts to encompass those entities with which they interact every day. Only through this sort of broader initiative can they build a defense that is truly effective in protecting their data — and their business.

Bala Venkat is Chief Marketing Officer at Cenzic.

Click here to learn more about the Cenzic Partner and Vendor Application Security Certification program

Top 10 Application Security Predictions for 2014

Watch Now! Top 10 Application Security Predictions for 2014

Did you miss the live webinar: “Top 10 Application Security Predictions for 2014?” No problem. The webinar recording and slides are now available.

2013 is coming to a close but online application threats won’t be taking a holiday. And the smart security professionals? They are preparing for 2014 right now.

Get a jump start on 2014 by watching Cenzic’s on-demand webinar: “Top 10 Application Security Predictions for 2014.” In 45 minutes you’ll learn the top research-grounded predictions from Cenzic’s security team, industry experts and security luminaries, including:

  • WHAT emerging initiatives (e.g., Enterprise App Stores, API proliferation) are most likely to increase appsec risk and what to do about it.
  • WHY Cross Site Request Forgery (CSRF) may be the next exploitation to “go large.”
  • HOW the “Internet of Things” may have a huge impact on application security.

… plus several more predictions.

Prepare for a secure 2014 by watching “Top 10 Application Security Predictions for 2014” now.

Top 7 Strategies for Overcoming IT Talent Shortages

Watch Now! Top 7 Strategies for Overcoming IT Talent Shortages

Did you miss the live webinar: “Top 7 Strategies for Overcoming IT Talent Shortages?” No problem. The webinar recording and slides are now available.

What’s the hardest part about securing mobile and web applications? For many IT organizations today, it’s people. The current market environment makes finding, training and retaining the right IT employees challenging.

Challenges or not, you can gain the skills to protect your organization from excessive security risk. Watching “Top 7 Strategies for Overcoming IT Talent Shortages” highlights the proven techniques that maximize security effectiveness of current staff and resources.

This compact, 30 minute recorded webinar by Cenzic’s Chris Harget, uncovers the top 7 strategies for overcoming IT talent shortages. Watch on-demand and learn:

  • Symptoms your team is short-handed
  • Strategy options for different organization types
  • Tips for marshalling resources for security initiatives

Whether you are a CISO, security professional, network engineer or developer, this on-demand webinar will improve your ability to identify and address IT talent shortages. Watch now!

Top 7 Mobile App Attacks and How To Prevent Them: A CenzicLive! Webinar

Watch Now!

Did you miss the live webinar? No problem. The webinar recording and slides are now available.

Here’s your chance to learn about the most common mobile threats and how to protect your organization from malicious attack.

Top 7 Mobile App Attacks and How To Prevent Them

Join Cenzic for a live webinar: “Top 7 Mobile App Attacks and How To Prevent Them” on Tuesday, October 29 at 10 am PDT. During the one-hour session, Sameer Dixit, Cenzic’s Mobile Practice Leader, and Chris Harget, Product Manager, will:

  • Describe why mobile apps are uniquely vulnerable
  • Survey of the 7 most common mobile attacks
  • Demo a mobile attack … and the consequences
  • Highlight ways to find mobile app vulnerabilities
  • Lead a lively Q&A session featuring your questions

Please register now for “Top 7 Mobile App Attacks and How To Prevent Them.” We look forward to seeing you there!

National Cyber Security Awareness Month 2013 Focuses on Shared Responsibility

October is National Cyber Security Awareness Month. Throughout the month leaders across industry, government and educational institutions are joining with the National Cyber Security Alliance to highlight the need to “create a safe, secure, and resilient cyber environment.”

Cenzic is a proud champion of National Cyber Security Awareness Month 2013.

Cenzic is a proud champion of National Cyber Security Awareness Month 2013.

“Shared Responsibility” is the theme for this year’s activities. It is up to all of us to make the internet safer and more secure for everyone.

According to Internet World Stats nearly 2.5 billion people, or 34% of all people on earth are connected to the Internet (source). Consumers and businesses enjoy and profit from the convenience from banking from smartphones, shopping from tablets, emailing relatives and connecting with global communities. More people and more applications continue to enrich the online world every day.

As with all large communities, most are decent, ethical and law-abiding contributors. A few, however, are not. Criminals and other bad actors continue to hack into secure networks and obtain corporate or personal information. The risk of cyber threats requires everyone to become more educated on how to protect themselves and others.

Get Involved in National Cyber Security Awareness Month 2013

Here are a few valuable resources to access during National Cyber Security Awareness Month 2013:

Please take advantage of these great materials!