Category Archives: web application security

Cenzic Webinar on May 23: Top 10 Ways to Win Budget for Application Security

Posted on by by Cenzic, Inc.
Watch Now!

Did you miss the live webinar? No problem. The webinar recording and slides are now available.

 

Webinar: May 23. Register Now!

Join Cenzic for a live webinar on Thursday, May 23 at 11am Pacific (2pm Eastern):  “Top 10 Ways to Win Budget for Application Security.”

Security analysts and developers often recognize the need for application security tools, but have a hard time making the case to laymen budget holders. Even within IT organizations, existing spending patterns may starve application security. What to do? We will examine common scenarios, real-world examples, and offer data, reasoning and tactics to help you secure the resources you need for better online security.

Cenzic’s Chris Harget, a 15 year security industry veteran, will lead the webinar. Chris is leaving plenty of time to answer your security and budget-related questions.

Register now for “Top 10 Ways to Win Budget for Application Security.”

Application Security Services: When To Use Professional Services

Posted on by by Chris Harget

Have you ever identified an urgent need for a security fix, but lacked a qualified team member to do it? Have you ever been handed a schedule so ambitious that it’s not physically possible for your team to complete it? Is it sometimes easier to get a temporary budget increase than add a permanent headcount? These are all scenarios that cry out for application security services from Cenzic’s Professional Services Team. While most people know that Cenzic Managed Cloud includes our experts who will run application vulnerability scans for you, and report back the results, that’s just the tip of the Cenzic Professional Services iceberg.Application Security Services from Cenzic

Here are some recent examples of customers making novel and valuable use of Cenzic Professional Services.

  • A Fortune 100 Commercial Banking and Services company with more than $100 Billion in Assets needed to quickly begin scanning 110 applications. Cenzic Professional Services did a custom onboarding engagement, training each app traversal so that the Bank’s IT Security Analysts could then run scans themselves using Cenzic Enterprise software. This met their timeline needs, and kept the scanning results in-house, per their corporate policy.
  • A global NGO with thousands of web sites needed a Methodology Assessment of their security posture, and real-world training of their developers to minimize vulnerabilities in code. Cenzic Professional Services did a 3-day engagement with their application developers. Cenzic PS reviewed with them the 10 most common vulnerabilities in the wild, finding examples in their production applications. Cenzic PS demonstrated on a live demo site how a hacker could exploit those specific types of vulnerabilities, then reviewed coding best practices to completely eliminate said vulnerabilities.
  • A high technology company with a mobile application which accessed sensitive customer data, didn’t know how to assess it for vulnerabilities. Cenzic Mobile Scan service performed a dynamic analysis by placing a proxy in the line to the mobile app, which allowed technicians to replay various attacks and coupled it with a thorough forensic analysis of the application on the device to identify vulnerabilities that exposed customer data.
  • A Health Maintenance Organization needed a deep scan of a new application on a tight development schedule to ensure compliance. Cenzic PS performed Manual Penetration testing along with the comprehensive vulnerability scanning  to provide a very thorough scan which could suffice for any compliance or audit need.

Keep in mind that your goal is online security, and there are many ways to achieve that goal whether it is self-service, managed services, or a hybrid in between. Cenzic experts would love to help.

Cenzic Application Vulnerability Trends Report 2013 Now Available

Posted on by by Cenzic, Inc.

99% of Tested Applications Have Vulnerabilities

Cenzic’s analysis finds that in 2013 application vulnerabilities are all too common. 99% of tested applications have one or more vulnerabilities. And with a median number of vulnerabilities per app of 13, it’s no wonder that application-level attacks are a focus for bad actors. The full report is available for download at no charge.

Vulnerabilities come in many different forms. The chart below shows that Cross Site Scripting (XSS) continues to be most common class of application vulnerability.

2013 Application Vulnerability Trends

Summary Statistics: 2013 Application Vulnerability Population

The chart also shows that many classes of vulnerabilities exist in current applications and pose risks to companies along with their customers, employees and supply chain partners. While the distribution of specific vulnerability classes for 2013 is different than previous years, multiple variants of all classes continue to be detected in production apps.

Based on data collected by the Cenzic Managed Security team, the Cenzic Application Vulnerability Trends Report 2013 shares details about the kind, frequency and severity of vulnerabilities that will be found in production applications in 2013.

The time to act is now. Download the report today and learn about the current application vulnerabilities and risk landscape. And more importantly, use the report and its shocking findings as a motivation to improve your application security posture.

Cenzic Wins 3 Awards at RSA Conference 2013

Posted on by by Cenzic, Inc.

Cenzic’s goal is to provide customers with solutions that reduce application security vulnerabilities and risks. Over the years, Cenzic has succeeded at this mission and earned industry awards. The most recent recognition came at RSA Conference 2013 where Cenzic earned not one, not two, but three Info Security Global Excellence Awards.

Info Security Products Guide Gold Award

CENZIC MANAGED CLOUD
Best Cloud Security Service

Info Security Products Guide Bronze Award

CENZIC, INC.
Best Overall Security Company of the Year

Info Security Products Guide Bronze Award

CENZIC ENTERPRISE
Best Web Application Security Product

Visit the Info Security Products Guide Awards page to see the list of honorees in all categories.

Info Security Product Guide runs a tough competition. More than 50 judges from a broad spectrum of industry voices from around the world participated and their average scores determined the 2013 Global Excellence Awards Finalists and Winners.

Cenzic is honored to be recognized by Info Security Products Guide with 3 awards at RSA Conference 2013.

New Video: Cenzic Integration with F5 BIG-IP ASM for Complete Website Protection

Posted on by by Admin

Check out this new video from our friends at F5 Networks. In a few short minutes you’ll see how BIG-IP ASM integrates with Cenzic for complete website protection.

 

F5 Networks’ BIG-IP Application Security Manager (ASM) is a web application firewall (WAF) that protects critical applications from the most advanced threats.

By integrating Cenzic’s continuous online application testing capabilities with F5 BIG-IP ASM, vulnerabilities are immediately blocked as they are identified. This means that your organization remains protected and in compliance without interruption to business, and applications  vulnerabilities can be fixed in a resource-efficient manner.

Mobile Application Security Flaw: Ineffective Session Termination

Posted on by by Sameer Dixit

This has been observed over and over again in the native mobile client server applications that when a user clicks logout button, the session is only terminated locally on the client side by either updating a local resource file on the device or in worst cases simply taking the user back to the application login screen, without actually terminating the session at the server end.

Such coding flaw makes the backend enterprise server susceptible to unauthorized access by an attacker who can now access the victim’s session using previous session data and this could lead to a potential identity theft of the victim who owns the session.

Successful exploitation of this vulnerability would allow an attacker to get ACTIVE access to victim’s account. Attacker can therefore impersonate the victim and misuse the account.

Best Practice

Always invalidate the session after logout both at the client and at the server side. Terminate the inactive session that has not been active over a reasonable time typically 15-20 minutes. Security error or re-authentication should result in for requests that attempt to access a private page of the terminated session. Session which is active for long time and reached the maximal allowed time must be re-authenticated.

Here are few useful links that discuss ways to tackle this issue:

Should SMBs worry about Web application security?

Posted on by by Bala Venkat

Let’s say that you are an owner of an SMB, you have a website that gets modest traffic, most of which you determine are your existing or potential customers. They browse your wares and offerings, and can purchase them directly through your website.

Let’s also say that security for your company’s website really hasn’t been one of your major concerns. You think to yourself, “Why should it be?” You service a small, yet steadily growing user-base. You don’t think you would be on a hacker’s radar for a million years.

You are one of the little guys right? Why would a hacker target you? Why would they go after your assets or customers when there are much bigger fish to fry?

The cold hard truth is that hacking isn’t like it used to be, it’s not one kid going after a particular site trying to break through firewalls to poke and prod around to find some secret military installation or the like.

Today, a majority of hackers, if not all, are using programs that automate their attacks. They use networks upon networks of hijacked “zombie” machines to do the dirty work by probing the Internet 24 hours a day, seven days a week looking for common Web application vulnerabilities. And they don’t discern between the sizes of a business—be it large or small. Every online business has the potential to make them money now, or down the road if they can get through the defenses.

They are looking to do one of two things, smash and grab (passwords, credit cards, user names, user data, etc.) or establish a long-standing foothold where they add hidden code that infects every one of your sites visitors—every time they visit your site!

Did you know that every month security researchers find over 400 new common vulnerabilities that can be exploited by hackers. Over 400! Every month! That’s almost 5000 new “COMMON” vulnerabilities a year!

If you aren’t scrubbing and evaluating your site during production, before it goes live and every few months, you are just giving away the farm. It may not be today, but it will happen and it could put you out of business. And as your business grows, you will become increasingly dependent on Web applications. If you take the necessary steps to institute a prevention plan now, you will be protecting your own business and your number one asset—your customers.

You may think you cannot afford it, but so you know Cenzic provides a free evaluation of Hailstorm, our pro-level evaluation software.

With Hailstorm Pro you can:

  • Test attack resistance, regulatory compliance and conformance with internal security policies all from your own desktop,
  • Detect more vulnerabilities and reduce false positives with Stateful Assessment™ technology,
  • Schedule assessments while applications are running, with no downtime, and
  • Reduce costs with automated penetration testing for both commercial and custom applications.

Do you and your customers a favor and try a free week of Hailstorm Pro…it’s on us.

Cenzic and F5 Go Barnstorming to Discuss Our Combined Web-App Security Solutions

Posted on by by Bala Venkat

We’re excited to announce a series of upcoming roadshows with our newest partner, F5 Networks! We announced our partnership with F5 about a month ago, and in an effort to spread the good word of a complete web-app security solution, we’re pounding some pavement to meet with IT professionals across the country.

The recent joint solution coming from Cenzic and F5 ensures that vulnerabilities can be identified and immediately addressed through an F5 BIG-IP ASM policy integrated with Cenzic software and cloud-based solutions. This allows for automated policy configuration and provides the ability to patch vulnerabilities with a single click.

These roadshows will give IT pros a chance to meet with security product experts from Cenzic and F5 to learn how to bring together network, application, data, and user-access under a single security strategy that moves IT forward. The two-hour security forum is free, and you can register below for any of the events.

Come out for IT security info, stay for the stirring conversation!

Tuesday, August 7, Tysons Corner, VA
Register

Thursday, August 9, Toronto, ON
Register

Thursday, August 9, Boston, MA
Register

Tuesday, August 14, Rosemont, IL
Register

Wednesday, August 15, Edina, MN
Register

Thursday, August 23, Dallas, TX
Register

What do John Dillinger and the Average Hacker Have in Common?

Posted on by by Bala Venkat

Web owners need to think about protecting their digital assets much in the same way that banks protect money: solid and tested code in the digital equivalent of a bank vault.

When we think of security on the web, we imagine our adversaries as stereotypical hackers—perhaps in a darkened basement lit only by the light of an oversized monitor. Bank robbers on the other hand, evoke images of brutish thugs, brandishing weapons to make their way to the vault. Whether our perceptions are accurate or not, today’s hackers are really no different than yesterday’s bank robbers—both are trying to attack quickly, face as few obstacles as possible, and fade away.

Banks and websites both hold something of value, and both initially try to protect these valuables the same way–banks store theirs in a seemingly impenetrable vault, while web-apps are developed with error-free, solid code to keep intruders out of servers.

These initial defenses qualify as “the best laid plans of mice and men,” as attackers on both the physical and cyber fronts do well in keeping pace with the thickest of vaults and the hardiest of code. The reality is that advances in cyber-attacks will always thwart the best-written code, and locksmiths pride themselves on their ability to pick any vault.

So how do we secure our valuables? We create layers of defense. No bank is without a sentry or security cameras to aid in the vault’s efforts. While it may be possible to break through a vault door, the process is difficult enough that even the most skilled team of experts can’t do it quickly enough to escape a raised alarm. Because of the layers of defense, the goal of the vault isn’t to stand single-handedly against intruders, but to have enough tumblers to slow the intruders down long enough for another mode of defense to be tipped off to the attack.

If we view this through the eyes of web-app security, we see the initial app code being launched from development into production, and then as a live site. With 500 new attacks every month, that code on its own is likely to fall prey to a litany of attacks, compromising a site’s valuable data. Scanning for attacks provides yet another layer of defense, and coupling those scans with a web-app firewall provides even more “tumblers” and obstacles for a hacker to pick before vital information becomes available. If done correctly, red flags will shoot up everywhere prior to an actual breach.

The key with web-app security is much like defending a bank, after all—provide layers of defense that create enough obstacles to keep attackers at bay until the alarms go off.

Protecting your brand – Time to circle the wagons

Posted on by by Bala Venkat

Your website–and your brand–is vulnerable to hackers. Test early and test often to protect your valuable resources.

The World Wide Web shares its acronym with the Wild Wild West and for good reason, there are bandits-a-plenty (aka Hackers) out there looking to loot and pillage from you.

The simple fact is this: if you have a website one day, it may be sooner, it may be later, but your website is vulnerable to hackers and that can seriously jeopardize your brand. And what you do about it now will be instrumental in how well you can defend against these forth-coming attacks.

How many opportunities are there for hackers? Well according to WorldWideWebSize.com there are nearly 7-billion webpages on the Internet and each and every one of those pages is an opportunity for someone to either steal from you or steal from your customer base. No matter which way you look at it, it’s not good for your brand or your business.

Through our own research here at Cenzic, we have found that only 25% of applications used on the Web are thoroughly vetted and properly tested before they are unleashed into the wild. We have also found that 500, yes you read that right, 500 new application vulnerabilities are uncovered each month!

Now, what can you do about it? You need to fully test the integrity of your websites and associated applications from the very beginning of development. We have found that only 27% of applications are tested while they are in production and it’s much easier to fix or virtually patch an application during development (and it will save you money) than to do it after it’s been unleashed to the Web.

With our testing, called SmartAttacks, we take a unique approach in how this is done and have come up with a full-blown assault akin to how a hacker would try to cripple or compromise a Web application. Regardless of whom you choose for your solution, you need to choose someone to test your site and application, or you could end up on the front page of CNET or the Wall Street Journal and nobody wants that.

Remember you need to test early and test often. It’s up to you; do you want to be remembered as the Alamo or the Battle of San Jacinto?