Cenzic Mobile Wins Bronze in Security Software by Network Products Guide!

Posted on by by Bala Venkat

Network Products Guide Honors Cenzic MobileWe’re proud to announce that Network Products Guide has named Cenzic Mobile a winner in its 8th Annual Hot Companies and Best Products Awards! Cenzic Mobile earned the Bronze award in the Security Software category.

The Cenzic Mobile service scans and analyzes mobile applications and detects vulnerabilities in critical areas, such as input validation permissions policies, session security, encryption usage, policy compliance and many others.

Network Products Guide acknowledges that Cenzic is at the forefront of helping organizations secure mission-critical mobile applications that access sensitive information. Many mobile applications are vulnerable to attacks since they connect to databases on the backend. Cenzic’s mobile service provides application developers, security teams and IT operations personnel with insight across all mobile applications and backend services and recommendations for remediation of security risks. Because of its cloud-based delivery method, Cenzic is the only company in the market that can provide complete remote black box testing for mobile applications without requiring source code or binaries.

If you have a mobile application today or are currently in development, contact Cenzic to learn more about Cenzic Mobile

 

    Cenzic Webinar on May 23: Top 10 Ways to Win Budget for Application Security

    Posted on by by Cenzic, Inc.
    Watch Now!

    Did you miss the live webinar? No problem. The webinar recording and slides are now available.

     

    Webinar: May 23. Register Now!

    Join Cenzic for a live webinar on Thursday, May 23 at 11am Pacific (2pm Eastern):  “Top 10 Ways to Win Budget for Application Security.”

    Security analysts and developers often recognize the need for application security tools, but have a hard time making the case to laymen budget holders. Even within IT organizations, existing spending patterns may starve application security. What to do? We will examine common scenarios, real-world examples, and offer data, reasoning and tactics to help you secure the resources you need for better online security.

    Cenzic’s Chris Harget, a 15 year security industry veteran, will lead the webinar. Chris is leaving plenty of time to answer your security and budget-related questions.

    Register now for “Top 10 Ways to Win Budget for Application Security.”

      Application Security Services: When To Use Professional Services

      Posted on by by Chris Harget

      Have you ever identified an urgent need for a security fix, but lacked a qualified team member to do it? Have you ever been handed a schedule so ambitious that it’s not physically possible for your team to complete it? Is it sometimes easier to get a temporary budget increase than add a permanent headcount? These are all scenarios that cry out for application security services from Cenzic’s Professional Services Team. While most people know that Cenzic Managed Cloud includes our experts who will run application vulnerability scans for you, and report back the results, that’s just the tip of the Cenzic Professional Services iceberg.Application Security Services from Cenzic

      Here are some recent examples of customers making novel and valuable use of Cenzic Professional Services.

      • A Fortune 100 Commercial Banking and Services company with more than $100 Billion in Assets needed to quickly begin scanning 110 applications. Cenzic Professional Services did a custom onboarding engagement, training each app traversal so that the Bank’s IT Security Analysts could then run scans themselves using Cenzic Enterprise software. This met their timeline needs, and kept the scanning results in-house, per their corporate policy.
      • A global NGO with thousands of web sites needed a Methodology Assessment of their security posture, and real-world training of their developers to minimize vulnerabilities in code. Cenzic Professional Services did a 3-day engagement with their application developers. Cenzic PS reviewed with them the 10 most common vulnerabilities in the wild, finding examples in their production applications. Cenzic PS demonstrated on a live demo site how a hacker could exploit those specific types of vulnerabilities, then reviewed coding best practices to completely eliminate said vulnerabilities.
      • A high technology company with a mobile application which accessed sensitive customer data, didn’t know how to assess it for vulnerabilities. Cenzic Mobile Scan service performed a dynamic analysis by placing a proxy in the line to the mobile app, which allowed technicians to replay various attacks and coupled it with a thorough forensic analysis of the application on the device to identify vulnerabilities that exposed customer data.
      • A Health Maintenance Organization needed a deep scan of a new application on a tight development schedule to ensure compliance. Cenzic PS performed Manual Penetration testing along with the comprehensive vulnerability scanning  to provide a very thorough scan which could suffice for any compliance or audit need.

      Keep in mind that your goal is online security, and there are many ways to achieve that goal whether it is self-service, managed services, or a hybrid in between. Cenzic experts would love to help.

        Any Way You Measure Them, Applications Fall Short On Security

        Posted on by by Cenzic

        Two major studies find that vulnerabilities are prevalent and persistent

        By Bala Venkat

         

        For years now, security experts have been singing the same song: that security must be “baked” into the development process, and that the most common vulnerabilities are usually not the new and scary ones, but those that have been around for a long time.

        The song remains the same. But it appears that many developers still aren’t listening.

        In the last few weeks, major research reports have revealed strikingly similar conclusions: that security vulnerabilities in applications are the norm, and that they are usually the same flaws that have been found and exploited for years.

        Here at Cenzic, our newly-published Cenzic Application Vulnerability Trends Report 2013 shows that security flaws are prevalent not only in most applications, but in nearly all of them.  Of the applications we tested last year, 99 percent of all applications contained one or more serious bug. The median number of bugs per app was 13 in 2012 — down from 16 in 2011, but still remarkably high.

        What’s even more remarkable is that these vulnerabilities are not the product of some great leap in technology – they are the same bugs we have been finding for years. Cross-site scripting (XSS) vulnerabilities – which have been around for years and are frequently exploited — appear in 61% of applica­tions, followed by Authentication and Authorization (45%), Web Server Configuration (28%), CSRF (22%), Information Leakage (17%), SQL Injection (16%), Web Server Version (10%), Unau­thorized Directory Access (8%) and Remote Code Execution (3%).

        While most vulnerabilities have declined slightly in the last year, the pace of improvement is glacial. Vulnerabilities still exist in almost all legacy applications and new applications. And emerging cloud and mobile applications increase the complexity of the problem. Moreover, the threats from these vulnerabilities continue to evolve as bad actors experiment with new and different attack strategies. While a great deal of time and money has been spent on secure software development over the last few years, the situation simply is not getting better.

        This week, application security firm Veracode published its State of Software Security Report Volume 5, and although the numbers were different, it confirms our own findings. Veracode found that 70 percent of enterprise applications failed to comply with the organization’s security policies on their first submission to scanning – very similar to the frequency of failure it has recorded in past years.

        Also similar to our Trends Report, Veracode found that most of the vulnerabilities found were those that have been known for years.  For example, nearly a third (32 percent) of Web applications presented SQL injection flaws from the first quarter of 2011 to the second quarter of 2012, according to the study.

        Both of these reports point to a sad truth about application development:  despite increasing threats posed by attackers and an increasing frequency of reported breaches, secure software development processes still have not improved radically over the past several years.  Today’s enterprises face many of the same vulnerabilities, with approximately the same frequency, as they did two or three years ago.

        If there’s a takeaway from these results, it’s that application development processes are in need of a radical change. Our existing methods of identifying flaws in the pre-development phase are only partially effective, and it’s time to rethink these processes from the ground up.

        There are many ways to do this rethinking, but one of the most fundamental is the need to shift the application scanning process from a strictly pre-deployment approach to a continuous, consistent process that also scans applications post-deployment and in production.

        The fact is that vulnerabilities don’t just happen during original code development. New flaws can be introduced during the patching process, in upgrades, and in customization of code. An application that has been running for a year is as likely – perhaps even more likely – to contain vulnerabilities as an application that is being rolled out for the first time. And many of those flaws will not be new or particularly interesting – they will be the same flaws that have been occurring for years, including XSS, SQL injection, buffer overflows and the like.

        It’s time for application developers – and the security auditors who support and scan for vulnerabilities – to really rethink the application testing process. Only through real change will we change the repetitive pattern of vulnerabilities that we continue to see in the industry.

          Cenzic Mobile is Named a SIIA Software CODiE Award Finalist!

          Posted on by by Cenzic

          We’re excited to announce that the Software & Information Industry Association (SIIA) has nominated our Cenzic Mobile service as one of the finalists in its coveted CODiE Awards as the Best Mobile Development Solution! The CODiE awards are renowned in the software and information industries and have been around for 27 years. This recognition of Cenzic Mobile as a finalist is further market validation for Cenzic and Cenzic Mobile’s product innovation, vision, and the industry impact.

           

           codie logo

          Launched a little over a year ago, our Cenzic Mobile service scans and analyzes mobile applications and detects vulnerabilities in critical areas, including input validation authentication mechanisms, session security, encryption usage and policy compliance. The number of mobile applications developed today is staggering, which presents a new set of security challenges with rapidly changing threat vectors. We recommend that enterprises implement continuous mobile application security assessments to protect and ensure the highest levels of application integrity.

          Check out the press release we issued last week and visit SIIA CODiE Awards for the list of finalists in all categories. Member voting is underway as we speak and the award winners will be announced on May 8th.