Category Archives: product information

Cenzic Mobile is Named a SIIA Software CODiE Award Finalist!

Posted on by by Cenzic

We’re excited to announce that the Software & Information Industry Association (SIIA) has nominated our Cenzic Mobile service as one of the finalists in its coveted CODiE Awards as the Best Mobile Development Solution! The CODiE awards are renowned in the software and information industries and have been around for 27 years. This recognition of Cenzic Mobile as a finalist is further market validation for Cenzic and Cenzic Mobile’s product innovation, vision, and the industry impact.

 

 codie logo

Launched a little over a year ago, our Cenzic Mobile service scans and analyzes mobile applications and detects vulnerabilities in critical areas, including input validation authentication mechanisms, session security, encryption usage and policy compliance. The number of mobile applications developed today is staggering, which presents a new set of security challenges with rapidly changing threat vectors. We recommend that enterprises implement continuous mobile application security assessments to protect and ensure the highest levels of application integrity.

Check out the press release we issued last week and visit SIIA CODiE Awards for the list of finalists in all categories. Member voting is underway as we speak and the award winners will be announced on May 8th.

Cenzic Wins 3 Awards at RSA Conference 2013

Posted on by by Cenzic, Inc.

Cenzic’s goal is to provide customers with solutions that reduce application security vulnerabilities and risks. Over the years, Cenzic has succeeded at this mission and earned industry awards. The most recent recognition came at RSA Conference 2013 where Cenzic earned not one, not two, but three Info Security Global Excellence Awards.

Info Security Products Guide Gold Award

CENZIC MANAGED CLOUD
Best Cloud Security Service

Info Security Products Guide Bronze Award

CENZIC, INC.
Best Overall Security Company of the Year

Info Security Products Guide Bronze Award

CENZIC ENTERPRISE
Best Web Application Security Product

Visit the Info Security Products Guide Awards page to see the list of honorees in all categories.

Info Security Product Guide runs a tough competition. More than 50 judges from a broad spectrum of industry voices from around the world participated and their average scores determined the 2013 Global Excellence Awards Finalists and Winners.

Cenzic is honored to be recognized by Info Security Products Guide with 3 awards at RSA Conference 2013.

New Video: Cenzic Integration with F5 BIG-IP ASM for Complete Website Protection

Posted on by by Admin

Check out this new video from our friends at F5 Networks. In a few short minutes you’ll see how BIG-IP ASM integrates with Cenzic for complete website protection.

 

F5 Networks’ BIG-IP Application Security Manager (ASM) is a web application firewall (WAF) that protects critical applications from the most advanced threats.

By integrating Cenzic’s continuous online application testing capabilities with F5 BIG-IP ASM, vulnerabilities are immediately blocked as they are identified. This means that your organization remains protected and in compliance without interruption to business, and applications  vulnerabilities can be fixed in a resource-efficient manner.

Should SMBs worry about Web application security?

Posted on by by Bala Venkat

Let’s say that you are an owner of an SMB, you have a website that gets modest traffic, most of which you determine are your existing or potential customers. They browse your wares and offerings, and can purchase them directly through your website.

Let’s also say that security for your company’s website really hasn’t been one of your major concerns. You think to yourself, “Why should it be?” You service a small, yet steadily growing user-base. You don’t think you would be on a hacker’s radar for a million years.

You are one of the little guys right? Why would a hacker target you? Why would they go after your assets or customers when there are much bigger fish to fry?

The cold hard truth is that hacking isn’t like it used to be, it’s not one kid going after a particular site trying to break through firewalls to poke and prod around to find some secret military installation or the like.

Today, a majority of hackers, if not all, are using programs that automate their attacks. They use networks upon networks of hijacked “zombie” machines to do the dirty work by probing the Internet 24 hours a day, seven days a week looking for common Web application vulnerabilities. And they don’t discern between the sizes of a business—be it large or small. Every online business has the potential to make them money now, or down the road if they can get through the defenses.

They are looking to do one of two things, smash and grab (passwords, credit cards, user names, user data, etc.) or establish a long-standing foothold where they add hidden code that infects every one of your sites visitors—every time they visit your site!

Did you know that every month security researchers find over 400 new common vulnerabilities that can be exploited by hackers. Over 400! Every month! That’s almost 5000 new “COMMON” vulnerabilities a year!

If you aren’t scrubbing and evaluating your site during production, before it goes live and every few months, you are just giving away the farm. It may not be today, but it will happen and it could put you out of business. And as your business grows, you will become increasingly dependent on Web applications. If you take the necessary steps to institute a prevention plan now, you will be protecting your own business and your number one asset—your customers.

You may think you cannot afford it, but so you know Cenzic provides a free evaluation of Hailstorm, our pro-level evaluation software.

With Hailstorm Pro you can:

  • Test attack resistance, regulatory compliance and conformance with internal security policies all from your own desktop,
  • Detect more vulnerabilities and reduce false positives with Stateful Assessment™ technology,
  • Schedule assessments while applications are running, with no downtime, and
  • Reduce costs with automated penetration testing for both commercial and custom applications.

Do you and your customers a favor and try a free week of Hailstorm Pro…it’s on us.

Amidst the Mobile Pickpockets, Don’t Forget to Guard the Vault

Posted on by by John Weinschenk

Unfortunately, the industry’s current mobile security focus is like guarding against pickpockets while the bank vaults go unprotected.

Much has been written recently about mobile security: mobile apps surreptitiously uploading users’ contacts, the increase in Android malware, pirated apps adding bogus sms charges, and of course everything Apple is doing to secure their platform – sandboxing, MDM, application access control and security certificates. There are public cries for one-click kill commands that would enable VIPs to delete their contact list in an emergency, insistence for greater control of the distribution of Android applications, and calls for oversight of app developers who may help themselves to more information than their users realize.

Unfortunately, the industry’s current mobile security focus is like guarding against pickpockets while the bank vaults go unprotected. The attention is riveted on device-centric hacks; hacks that, for the most part rely on many individuals being infected or duped to succeed. And while as a consumer and the head of a security company, I applaud all security measures, I’d like to point out that the pot of gold for any motivated hacker is not mobile devices but the backend data and systems they connect to.

If you were a profiteering hacker, where would you aim your sights? Do you want Joe User’s address book, or the backup database with everyone’s address book? Would you make more hijacking mobile credit card transactions one at a time, or hacking a mobile payments authentication and verification database? Sure, it’s a more complex hack, but the payoff is exponential. So while I agree that finding and fixing vulnerabilities in mobile devices is important, I want to make sure it’s clear that it’s all for naught unless the vulnerabilities in the mobile application and how they communicate with the backend are also found, fixed, and monitored for new vulnerabilities.

Most experts agree that over the course of 2011 the sophistication of mobile attacks and malware became more sophisticated. Even still, many of us agree that we’ve only seen the first act. As mobile apps proliferate and mobile hackers gain experience and sophistication, there will be an increase in attacks focused on the big vaults of data, not just the individual pockets.

Cenzic actually has put its money where my mouth is on this. We’ve released our new application security intelligence service mobile offering that focuses on finding mobile app and backend vulnerabilities. More about our product here.

 

Cenzic + WAF = Intelligent Blocking

Posted on by by John Weinschenk

We have been getting a lot of questions about how to automate online application protection

We have been getting a lot of questions about how to automate online app protection. There are a number of ways to do this, but an easy one is integrating Cezic with your Web application firewall (WAF).

By integrating Cenzic’s continuous online application testing capabilities into a WAF, online app scans can be automatically run through the WAF using Cenzic’s cloud solution. Integrated WAF/Cenzic solutions (like Barracuda, CitrixF5Imperva and Trustwave) ensure that vulnerabilities are immediately blocked as they are identified. This means that your organization remains protected and in compliance without interruption to business, and code can be fixed in a resource-efficient manner.

Richard Stiennon Honored During Cyber Security Awareness Mont

Posted on by by Cenzic, Inc.

Cyber security awareness month award winner: Richard Stiennon

As you may have read from yesterday’s press release, Cenzic honored Richard Stiennon, a veteran of the security industry and a well-respected analyst, as the recipient of the company’s second annual Cenzic Cyber Security Leadership award.

The award recognizes Stiennon as the industry expert that has made the biggest strides in furthering the values exemplified by Cyber Security Awareness Month (October 2011).  The award was judged on the level of commitment Mr. Stiennon has shown for the cause as well as his willingness to educate others on cyber security issues.

Mr. Stiennon has over a decade of experience advising enterprises, vendors, and government agencies on their security strategies.  Other cyber security accomplishments of his include:

  • Author of Surviving Cyberwar (Government Institutes, 2010) and the soon to be published Cyber Defense: Countering Targeted Attacks
  • Most followed IT security analyst on Twitter
  • Moderator of the Security Leaders Group on LinkedIn
  • Writer of the Cyber Defense Weekly newsletter
  • Keynote presenter at the October 2011 National Cyber Security Awareness Month kick-off event at the University of Virginia

Congratulations, Richard!

How the Latest OWASP Top 10 Maps to PCI 6.6

Posted on by by Cenzic, Inc.

See details on how Cenzic has mapped its SmartAttacks to the latest OWASP Top 10 and PCI 6.6

Here are more details on our updates to the  SmartAttack library to ensure compliance with the latest OWASP Top 10 and PCI 6.6.  The table below lists the SmartAttacks that now correspond to both the OWASP 2010 Top 10 and PCI 6.6.

OWASP Top 10 2010

PCI 6.6

Cenzic SmartAttacks

1. A1 – Injection

PCI 6.5.1
  • Blind SQL Injection
  • SQL Disclosure
  • SQL Error Message
  • Unix Command Injection
  • Windows Command Injection
  • LDAP Exception
  • LDAP Injection

2.  A2 – Cross-Site Scripting

PCI 6.5.2
  • Cross-Site Scripting

3.  A3 – Broken Authentication & Session Management

PCI 6.5.3
  • Session ID Randomness
  • Login Redirect
  • Non-SSL Password
  • Password Auto-complete
  • Non-Masked Password
  • Cookie Vulnerabilities

4. A4 – Insecure Direct Object Reference

PCI 6.5.4
  • Frame Injection
  • Remote File Inclusion

5.  A5 – Cross-Site Request Forgery

 PCI 6.5.5
  • Cross-Site Request Forgery
6.  A6 – Security Misconfiguration PCI 6.5.6
  • Check HTTP Methods
  • Directory Browsing
  • Web Server Vulnerabilities
  • Application Exception
  • App Path Disclosure
  • Platform Path Disclosure

7. A7 – Insecure Cryptographic Storage

PCI 6.5.7

N/A

8. A8 – Failure to Restrict URL Access

PCI 6.5.7
  • File & Directory Discovery
  • Unix Relative Path
  • Windows Relative Path

9. A9 – Insufficient Transport Layer Protection

PCI 6.5.9
  • Browse HTTP from HTTPS List
  • Non-SSL Form
  • SSL Checks

10. A10 – Unvalidated Redirects & Forwards

PCI 6.5.10
  • Open Redirect
  • HTTP Response Splitting
  • Cross-Frame Scripting

Web Vulnerability Scanner Comparison

Posted on by by Admin

Remarks on the recent Web vulnerability scanner comparison by Larry Suto

Larry Suto has recently released a report comparing various Web vulnerability scanner products.  I’d like to thank Larry for his efforts and also point out that Cenzic encourages such comparisons, as they help users make more informed decisions.

That being said, some of the Larry’s results sparked our interest and raised a few questions.  As with any software product, results depend on how it’s configured and what assumptions are made.  Our Hailstorm product is being used by hundreds of customers who are extremely pleased with the results while testing thousands of applications on a monthly basis.  So we ran some of the test ourselves against the same target applications in an effort to better understand all of Larry’s findings.

Cenzic is a product of its innovation and responsiveness to our customers’ needs. We’ve always been (and continue to be) highly committed to on-going product improvements (where warranted), so we’re eager to learn as much from this report as possible.  Interestingly enough, however, our own results were somewhat different than Larry’s findings.  We’re in current discussions with Larry to better understand how he configured the product and confirm his assumptions versus our own.  Hopefully I’ll be able to provide an update on that soon.

Dynamic Application Security Testing (DAST)

Posted on by by Cenzic, Inc.

Dynamic application security testing (DAST) is one of the many security technologies evaluated in a recent Gartner paper entitled, “Hype Cycle for Data & Application Security”.

Gartner defines DAST technologies as “designed to detect conditions indicative of a security vulnerability in an application in its running state” and believes they have a market penetration of 20-50% of the target audience with an “early mainstream” maturity. (if you haven’t figured it out yet, Cenzic falls into the DAST category)

Gartner also deems the adoption of DAST solutions, primarily in the form of Web application testing tools, has been rapid for a few reasons:

  • Testing doesn’t require access to source code and can be performed by security, audit or compliance teams.
  • DAST tools can help automate penetration testing, which many organizations already perform.
  • Most organizations have vulnerable, external-facing, Web-enabled applications deployed, and there is an immediate need (many times driven by the regulatory environment) to reduce risk.

The need for DAST tools continues to grow due to:

  • The growing number of applications that are Web-enabled and externally accessible
  • The growing number of targeted and financially motivated attacks at the application level