Application Security Services: When To Use Professional Services

Posted on by by Chris Harget

Have you ever identified an urgent need for a security fix, but lacked a qualified team member to do it? Have you ever been handed a schedule so ambitious that it’s not physically possible for your team to complete it? Is it sometimes easier to get a temporary budget increase than add a permanent headcount? These are all scenarios that cry out for application security services from Cenzic’s Professional Services Team. While most people know that Cenzic Managed Cloud includes our experts who will run application vulnerability scans for you, and report back the results, that’s just the tip of the Cenzic Professional Services iceberg.Application Security Services from Cenzic

Here are some recent examples of customers making novel and valuable use of Cenzic Professional Services.

  • A Fortune 100 Commercial Banking and Services company with more than $100 Billion in Assets needed to quickly begin scanning 110 applications. Cenzic Professional Services did a custom onboarding engagement, training each app traversal so that the Bank’s IT Security Analysts could then run scans themselves using Cenzic Enterprise software. This met their timeline needs, and kept the scanning results in-house, per their corporate policy.
  • A global NGO with thousands of web sites needed a Methodology Assessment of their security posture, and real-world training of their developers to minimize vulnerabilities in code. Cenzic Professional Services did a 3-day engagement with their application developers. Cenzic PS reviewed with them the 10 most common vulnerabilities in the wild, finding examples in their production applications. Cenzic PS demonstrated on a live demo site how a hacker could exploit those specific types of vulnerabilities, then reviewed coding best practices to completely eliminate said vulnerabilities.
  • A high technology company with a mobile application which accessed sensitive customer data, didn’t know how to assess it for vulnerabilities. Cenzic Mobile Scan service performed a dynamic analysis by placing a proxy in the line to the mobile app, which allowed technicians to replay various attacks and coupled it with a thorough forensic analysis of the application on the device to identify vulnerabilities that exposed customer data.
  • A Health Maintenance Organization needed a deep scan of a new application on a tight development schedule to ensure compliance. Cenzic PS performed Manual Penetration testing along with the comprehensive vulnerability scanning  to provide a very thorough scan which could suffice for any compliance or audit need.

Keep in mind that your goal is online security, and there are many ways to achieve that goal whether it is self-service, managed services, or a hybrid in between. Cenzic experts would love to help.

    Any Way You Measure Them, Applications Fall Short On Security

    Posted on by by Cenzic

    Two major studies find that vulnerabilities are prevalent and persistent

    By Bala Venkat

     

    For years now, security experts have been singing the same song: that security must be “baked” into the development process, and that the most common vulnerabilities are usually not the new and scary ones, but those that have been around for a long time.

    The song remains the same. But it appears that many developers still aren’t listening.

    In the last few weeks, major research reports have revealed strikingly similar conclusions: that security vulnerabilities in applications are the norm, and that they are usually the same flaws that have been found and exploited for years.

    Here at Cenzic, our newly-published Cenzic Application Vulnerability Trends Report 2013 shows that security flaws are prevalent not only in most applications, but in nearly all of them.  Of the applications we tested last year, 99 percent of all applications contained one or more serious bug. The median number of bugs per app was 13 in 2012 — down from 16 in 2011, but still remarkably high.

    What’s even more remarkable is that these vulnerabilities are not the product of some great leap in technology – they are the same bugs we have been finding for years. Cross-site scripting (XSS) vulnerabilities – which have been around for years and are frequently exploited — appear in 61% of applica­tions, followed by Authentication and Authorization (45%), Web Server Configuration (28%), CSRF (22%), Information Leakage (17%), SQL Injection (16%), Web Server Version (10%), Unau­thorized Directory Access (8%) and Remote Code Execution (3%).

    While most vulnerabilities have declined slightly in the last year, the pace of improvement is glacial. Vulnerabilities still exist in almost all legacy applications and new applications. And emerging cloud and mobile applications increase the complexity of the problem. Moreover, the threats from these vulnerabilities continue to evolve as bad actors experiment with new and different attack strategies. While a great deal of time and money has been spent on secure software development over the last few years, the situation simply is not getting better.

    This week, application security firm Veracode published its State of Software Security Report Volume 5, and although the numbers were different, it confirms our own findings. Veracode found that 70 percent of enterprise applications failed to comply with the organization’s security policies on their first submission to scanning – very similar to the frequency of failure it has recorded in past years.

    Also similar to our Trends Report, Veracode found that most of the vulnerabilities found were those that have been known for years.  For example, nearly a third (32 percent) of Web applications presented SQL injection flaws from the first quarter of 2011 to the second quarter of 2012, according to the study.

    Both of these reports point to a sad truth about application development:  despite increasing threats posed by attackers and an increasing frequency of reported breaches, secure software development processes still have not improved radically over the past several years.  Today’s enterprises face many of the same vulnerabilities, with approximately the same frequency, as they did two or three years ago.

    If there’s a takeaway from these results, it’s that application development processes are in need of a radical change. Our existing methods of identifying flaws in the pre-development phase are only partially effective, and it’s time to rethink these processes from the ground up.

    There are many ways to do this rethinking, but one of the most fundamental is the need to shift the application scanning process from a strictly pre-deployment approach to a continuous, consistent process that also scans applications post-deployment and in production.

    The fact is that vulnerabilities don’t just happen during original code development. New flaws can be introduced during the patching process, in upgrades, and in customization of code. An application that has been running for a year is as likely – perhaps even more likely – to contain vulnerabilities as an application that is being rolled out for the first time. And many of those flaws will not be new or particularly interesting – they will be the same flaws that have been occurring for years, including XSS, SQL injection, buffer overflows and the like.

    It’s time for application developers – and the security auditors who support and scan for vulnerabilities – to really rethink the application testing process. Only through real change will we change the repetitive pattern of vulnerabilities that we continue to see in the industry.

      Cenzic Mobile is Named a SIIA Software CODiE Award Finalist!

      Posted on by by Cenzic

      We’re excited to announce that the Software & Information Industry Association (SIIA) has nominated our Cenzic Mobile service as one of the finalists in its coveted CODiE Awards as the Best Mobile Development Solution! The CODiE awards are renowned in the software and information industries and have been around for 27 years. This recognition of Cenzic Mobile as a finalist is further market validation for Cenzic and Cenzic Mobile’s product innovation, vision, and the industry impact.

       

       codie logo

      Launched a little over a year ago, our Cenzic Mobile service scans and analyzes mobile applications and detects vulnerabilities in critical areas, including input validation authentication mechanisms, session security, encryption usage and policy compliance. The number of mobile applications developed today is staggering, which presents a new set of security challenges with rapidly changing threat vectors. We recommend that enterprises implement continuous mobile application security assessments to protect and ensure the highest levels of application integrity.

      Check out the press release we issued last week and visit SIIA CODiE Awards for the list of finalists in all categories. Member voting is underway as we speak and the award winners will be announced on May 8th.

        Cenzic Application Vulnerability Trends Report 2013 Now Available

        Posted on by by Cenzic, Inc.

        99% of Tested Applications Have Vulnerabilities

        Cenzic’s analysis finds that in 2013 application vulnerabilities are all too common. 99% of tested applications have one or more vulnerabilities. And with a median number of vulnerabilities per app of 13, it’s no wonder that application-level attacks are a focus for bad actors. The full report is available for download at no charge.

        Vulnerabilities come in many different forms. The chart below shows that Cross Site Scripting (XSS) continues to be most common class of application vulnerability.

        2013 Application Vulnerability Trends

        Summary Statistics: 2013 Application Vulnerability Population

        The chart also shows that many classes of vulnerabilities exist in current applications and pose risks to companies along with their customers, employees and supply chain partners. While the distribution of specific vulnerability classes for 2013 is different than previous years, multiple variants of all classes continue to be detected in production apps.

        Based on data collected by the Cenzic Managed Security team, the Cenzic Application Vulnerability Trends Report 2013 shares details about the kind, frequency and severity of vulnerabilities that will be found in production applications in 2013.

        The time to act is now. Download the report today and learn about the current application vulnerabilities and risk landscape. And more importantly, use the report and its shocking findings as a motivation to improve your application security posture.

          Cenzic Wins 3 Awards at RSA Conference 2013

          Posted on by by Cenzic, Inc.

          Cenzic’s goal is to provide customers with solutions that reduce application security vulnerabilities and risks. Over the years, Cenzic has succeeded at this mission and earned industry awards. The most recent recognition came at RSA Conference 2013 where Cenzic earned not one, not two, but three Info Security Global Excellence Awards.

          Info Security Products Guide Gold Award

          CENZIC MANAGED CLOUD
          Best Cloud Security Service

          Info Security Products Guide Bronze Award

          CENZIC, INC.
          Best Overall Security Company of the Year

          Info Security Products Guide Bronze Award

          CENZIC ENTERPRISE
          Best Web Application Security Product

          Visit the Info Security Products Guide Awards page to see the list of honorees in all categories.

          Info Security Product Guide runs a tough competition. More than 50 judges from a broad spectrum of industry voices from around the world participated and their average scores determined the 2013 Global Excellence Awards Finalists and Winners.

          Cenzic is honored to be recognized by Info Security Products Guide with 3 awards at RSA Conference 2013.

            Cybersecurity Executive Order Encourages Data Sharing

            Posted on by by Cenzic, Inc.

            On Tuesday, February 12, President Obama signed a long-awaited cybersecurity executive order. The full text of the order is posted to the White House web site.

            Cybersecurity executive order graphic from White House’s presentation

            Graphic from White House’s presentation on cybersecurity

            The executive order underscores the importance of protecting the United States’ critical infrastructure and systems from serious cyber risks:

            “It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.”

            The Department of Homeland Security, the Attorney General, the Director of National Intelligence and others are ordered to improve information sharing about cyber threats between government and industry and establish a framework of cybersecurity best practices that industry would elect to follow. Specific initiatives include:

            • Increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats.
            • Develop a framework of cybersecurity best practices. The National Institute of Standards and Technology (NIST) will head up the process of defining a technology-neutral framework which will be aimed at addressing security gaps faced by both the public and private sectors.
            • Establish a voluntary program to support the adoption of the cybersecurity framework by owners and operators of critical infrastructure and any other interested entities.

            The policies outlined in the executive order arose from failed efforts to pass cyber-security legislation last spring. Executive orders do not grant additional powers to federal agencies—that requires legislation. They do, however, define and mobilize how the federal government should act within current legal parameters. In other words, the executive order “describes and encourages” secure practices rather than “legally requires minimum requirements.”

            Media coverage by The Hill, The New York Times and and InformationWeek show a mixed opinion about the cybersecurity provisions in the executive order. Many view it as an important step towards securing critical infrastructure from cyber attack. Others point out that outdated practices and insecure systems are allowed to remain in place. What is clear is there is more work ahead for public and private sector organizations to address current cybersecurity weaknesses.

            Some bad actors focus on attacking national infrastructure while others target any web application for profit or just to create havoc. Many attacks are independent of an organization’s brand, size, industry and location. To ensure reliable functioning of your systems and protect your assets, you must take decisive action.

            Cenzic specializes in helping businesses improve their security posture, from providing focused assessments of individual applications to comprehensive security monitoring services. Contact Cenzic to speak with a security professional about how you can take important steps to reduce your organization’s cyber risk.

              Cybersecurity to Become White House Focus in the New Year

              Posted on by by Cenzic, Inc.

              After two attempts earlier this year by the US Congress to pass the Cybersecurity Act of 2012 (CSA 2012), the Executive Branch is taking steps toward a Presidential Cybersecurity Order to protect the country’s digital systems from hackers and spies.

              According to The Hill, the Order could be issued as early as January 2013. Politico reported that the White House held meetings with representatives from tech trade associations, the U.S. Chamber of Commerce, privacy groups and think tanks throughout the Fall to hear their recommendations for the Executive Order.

              So what might be in the Executive Order? It’s not entirely clear as the Obama Administration has not released a draft at this time. Parties close to the negotiations suggest that the following is possible:

              • The Executive Order will likely resemble the failed CSA 2012
              • The Department of Homeland Security (DHS) will be tasked with identifying the critical infrastructure where a cyber-attack could result in a “debilitating impact on the nation.”
              • DHS and the Office of Management and Budget (OMB) will review the DHS’s report and recommend a “prioritized, risk based, efficient and coordinated set of actions to mitigate or remediate identified cyber risks to critical infrastructure.”
              • A new real-time information sharing program involving the DHS, National Security Administration, and Attorney General.

              The Cenzic Web Application Security Blog will continue to track the progress and details of the probable cybersecurity Executive Order.

                Mobile Application Security Flaw: Excessive Permissions and Privileges

                Posted on by by Sameer Dixit

                Mobile Security Flaw: Excessive Permissions and PrivilegesExcessive permissions and privileges is one of the most common and serious vulnerability that is creating great deal of privacy concerns among smart phone users.

                Applications with more access are often the target for attackers because of its broad attack surface. Most of the mobile applications residing on the mobile devices have more than required access permissions and privileges on the device. Such as, access to user’s contact list and update rights without notifying user, Receiving & sending SMS messages, Location (recording user’s GPS coordinates), and access to other device hardware components such as Camera, Microphone etc.

                Best Practices

                For developers: Restrict granting excessive permissions and privileges to the application. The application permissions should be limited to only the necessary components which are required for the functionality of the application.

                For users: Periodically check the settings on the device and application for any excess permission and if application found to have more than required access then invoke the access rights.

                Evaluating mobile apps for excessive permission flaws is one of the many features of the Cenzic Mobile service.

                  Mobile Application Security Flaw: Input Validation

                  Posted on by by Sameer Dixit

                  Mobile applications entail the same input validation challenges of web application security. Why? Because just like webapps mobile apps also use web services (SOAP, REST) and HTTP/S requests to communicate between client and server. So the common vulnerabilities such as cross-site scripting (XSS), SQL injection, command injection, buffer overflow, XML bomb, information leakage etc. still get discovered consistently in mobile applications during dynamic analysis.

                  Input Validation Security

                  The presence of these vulnerabilities in backend services enables an attacker to propagate malware, cause denial of service or gain access to information that he/she does not have the privileges for. This includes data stored in the application database and possibly credentials for accessing sections of an application requiring higher privileges.

                  Input Validation Best Practices

                  Ensure that your application validates all form inputs both at client and server side and converts scripts and script tags to a non-executable form. Check that any executables on your server do not return scripts in executable form when passed scripts as malformed command parameters. Consider converting JavaScript and HTML tags into alternate HTML encodings such as “<” to “&lt;”. And as a best practice, avoid excess information disclosure in an event of an error/crash.

                  Evaluating mobile apps for input validation flaws is one of the many features of the Cenzic Mobile service.