As part of its Application Security MythBusters series, Cenzic interviewed Dan Shoemaker, Co-Chair at the Department of Homeland Security and Professor at the University of Detroit Mercy.  When Cenzic’s Chief Marketing Officer, Mandeep Khera, asks Dan about his general observation of the state of Web application security, he answers in one word:  Abysmal. 

Dr. Shoemaker believes our nation is poised for a cyber security “9/11” type of attack based on the insecure state of our Web applications.  And if you’ve never been hacked, it’s like your company is an innocent lamb; a big target for the hacker wolves out there. 

He also tells a story about a large company (to remain nameless) that got hacked with the Slammer Virus on a Friday night.  But they reacted quickly and fixed the problem by Monday morning to the tune of $2M.  However, if the hacked would’ve occurred on a Tuesday, the costs to fix the attack would’ve skyrocketed to $100M.  So they were “lucky” based on the timing of attack. 

Take home message:  become a wolf or you’ll be quickly eaten by one. 

Listen to the full 11 minute podcast today!

If you have any other questions or topic suggestions about the latest myths out there, send an email to:  MythBusters@cenzic.com

by
Erin Swanson, Marketing
Eswanson@cenzic.com

As of March 5, 2010 Cenzic now detects a PHP 'tempnam()' 'safe_mode' Validation Restriction-Bypass Vulnerability (BugtraqID 38431).  Successful exploits allow attackers to access files in unauthorized locations or create files in any writable directory. This vulnerability is an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code; the 'safe_mode' restrictions are assumed to isolate users from each other.  PHP 5.2.12 and prior versions are affected.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to better detect "holes" in Web applications.  These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
Eswanson@cenzic.com

We just announced our latest 6.5 release on our Cenzic Hailstorm software product suite today. 

You can download the “What’s New in Cenzic Hailstorm 6.5” brochure to read more about the following:

• Open API enables enterprise integrations to other applications 
• Significant web crawling improvements, which allow customers to initiate comprehensive security scans against a wider variety of Web applications built with diverse web technologies 
• Enhanced enterprise capabilities such as asynchronous execution engines, floating licensing and logging improvements 
• Improved user interface for easier group workflow and highlighting additional details on assessments, severity levels, and user comments

Free Customer Training

If you are already a customer, be sure to sign up for our customer training on Thursday, March 18 at 11 AM Pacific.  Jon Zucker, our product management guru, will walk you through all the important features.  Expect an email invite by next week.

by
Erin Swanson
Eswanson@cenzic.com

We’re happy to announce Cenzic’s latest Web Application Security Trends Report – findings from Q3-Q4 2009.

The report, which illustrates trends among thousands of corporations, financial institutions and government agencies, incorporates findings from Cenzic’s leading-edge managed security assessment (SaaS) and research from Cenzic Intelligent Analysis (CIA) Labs.

Some of the key findings include:

• 82 percent of the total reported vulnerabilities affected Web technologies, such as Web servers, applications, Web browsers, Plugins and ActiveX, which is a significant increase from earlier in the year. 
• Of Web browser vulnerabilities Firefox had the largest percentage, at 44 percent but the browser also had the best patch ratio. Internet Explorer vulnerabilities came in at 25 percent. 
• Adobe, Sun and HP continue to be among the Top 10 vendors having the most severe vulnerabilities for the second half of 2009.

To download a PDF version of the Q3-Q4 2009 Trend Report, please visit:
http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q3-Q4-2009.pdf

For a hard copy of the full report you can also visit Cenzic at the RSA Conference in San Francisco from March 1-5 at booth #2624.

by
Mandeep Khera, CMO
Mandeep@cenzic.com

Please join us for the RSA Conference 2010 reception on Wednesday, March 3 at Jillians’ Bar & Billiards Lounge in the Metreon – located on Level One, immediately adjacent to the Moscone Convention Center. 

RSVP to reserve your spot: 
Email:  aoberoi@cenzic.com
Phone:  (408) 200-0742

Tickets will also be available on a first-come, first serve basis at the Cenzic booth (#2624) at the RSA Conference.

Reception Details:

Date:  Wednesday, March 3, 2010
Time:  9 PM to Midnight
Location:  Jillian’s Bar & Billiards Lounge
101 Fourth Street
San Francisco, CA 94103

by
Angel Oberoi, Marketing
Angel@cenzic.com

As of February 26, 2010 Cenzic now detects a Sun Java System App Server HTTP TRACE Information Disclosure Vulnerability (BugtraqID 37995).  The Sun Java System Application Server is prone to a remote information-disclosure vulnerability.  Attackers can exploit this issue to obtain potentially sensitive information that can aid in further attacks.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to better detect "holes" in Web applications.  These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
Eswanson@cenzic.com

As of February 19, 2010 Cenzic now detects a Sun Java System Web Server 'admin' Server Denial of Service Vulnerability (BugtraqID 37909).  An attacker can exploit this issue to crash the effected application, denying service to legitimate users.  Sun Java System Web Server 7.0 Update 6 is affected; other versions may also be vulnerable.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to better detect "holes" in Web applications.  These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
Eswanson@cenzic.com

Make a trip to Sunnyvale next week to attend the OWASP Bay Area meeting where we’ve invited the top security professionals from SAP, Fujitsu, PARC, Stanford, and Berkeley to share their insights on the latest Web application security trends.

As you know, the attendance is free and some food and a few alcoholic beverages will be provided.  However, please note:  due to security issues at the location site (Fujitsu Offices), you must pre-register for the event!  The registration desk will also ask for your citizen / permanent residence status*.  Badges will be ready at the check-in lobby for pre-registered attendees.  You can't enter the meeting room without a badge. 

Register Today (space is limited and going fast)
http://owaspbayarea-feb2010.eventbrite.com/

Event Details

Date:  Thursday, February 25, 2010
Time:  1 – 8 PM
Location: 
Fujitsu Sunnyvale Campus (Building H)
1250 E. Arques Avenue
Sunnyvale, CA 94085

Agenda

Special thanks to Sree Rajan of Fujitsu for hosting this event and to Cenzic, AppSec Consulting, and Fujitsu for sponsoring.

*Fujitsu Policy:  Please note that you will be asked to sign and write down your country of citizenship in order to comply with US Customs regulations and C/TPAT (Customs Trade Partnership Against Terrorism) certifications. As part of the compliance, we regrettably are not able to allow attendance to those who hold the citizenship of Cuba, Iran, North Korea, Sudan, or Syria without a US Green Card. We sincerely apologize for any inconvenience this may cause.

by
Mandeep Khera, CMO at Cenzic
Mandeep@cenzic.com

As of February 12, 2010 Cenzic now detects an IBM WebSphere Application Server 'Requires SSL' Option Security Bypass Vulnerability (BugtraqID 38122).  IBM WebSphere Application Server (WAS) is prone to a security-bypass vulnerability.  Successful exploits allow attackers to bypass certain security restrictions, which may lead to other attacks.  This issue affects WAS 7.0 through 7.0.0.8.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to better detect "holes" in Web applications.  These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

Have a great 3-day weekend everyone!

by
Erin Swanson
Eswanson@cenzic.com

Larry Suto has recently released a report comparing various Web vulnerability scanner products.  I’d like to thank Larry for his efforts and also point out that Cenzic encourages such comparisons, as they help users make more informed decisions.

That being said, some of the Larry’s results sparked our interest and raised a few questions.  As with any software product, results depend on how it’s configured and what assumptions are made.  Our Hailstorm product is being used by hundreds of customers who are extremely pleased with the results while testing thousands of applications on a monthly basis.  So we ran some of the test ourselves against the same target applications in an effort to better understand all of Larry’s findings.

Cenzic is a product of its innovation and responsiveness to our customers’ needs. We’ve always been (and continue to be) highly committed to on-going product improvements (where warranted), so we’re eager to learn as much from this report as possible.  Interestingly enough, however, our own results were somewhat different than Larry’s findings.  We're in current discussions with Larry to better understand how he configured the product and confirm his assumptions versus our own.  Hopefully I’ll be able to provide an update on that soon.

by
Lars Ewe, CTO
Lars@cenzic.com

If you happen to be in the heart of Silicon Valley on February 9, 2010, then attend the ISC2 Security Leadership event at the Double Tree Hotel in San Jose, CA. 

The all-day event (9-5 pm) will focus on how to measure your security success (or failure), so be prepared to hear ways you can explore methods for determining how well you’re managing the limited labor, capital, and technology resources. 

Event Details:

ISC2 Security Leadership Seminar

Title:  Fact not FUD:  Managing What You Can Measure
Date:  Tuesday, February 9, 2010
Time:  9 – 5 PM
Location:  Double Tree Hotel in San Jose, CA

See you there tomorrow!

by
Angel Oberoi, Marketing
Angel@cenzic.com

Enterprise Systems Magazine just published my top 5 cyber security predictions for the upcoming decade and I wanted to share them with you.  I hope you enjoy them … and please send any comments my way as well.

Top 5 Cyber Security Predictions for the next 10 years:

1. Despite government efforts, cyber war will be more common with more severe Web application attacks. We’ve been predicting cyber wars for a couple of years and have started to see significant incidents in 2009.  In addition, hackers will target telecommunications and utility infrastructures of key nations. 
2. Social network sites like Facebook and Twitter will continue to be targeted for attacks due to their popularity and usage.  Game changing social networking apps will emerge each with a unique set of security challenges.  Social networking will become even more prevalent as hackers go after these user bases looking for personal financial information to enable them to siphon money from bank accounts and credit cards.  Data from social networks will also give rise to increased identity theft as hackers sort through social networks to gather clues to unlock passwords and steal identities. 
3. The rise in Smartphone use, particularly the popularity of specific phones (i.e. the iPhone), begets an escalation in mobile app use as more and more people use phone apps to enhance both their business and personal worlds.  These downloadable apps will increasingly become a target for hackers who see millions of potential targets, most of which use a Web infrastructure for hackers to exploit. 
4. Cloud computing will become more prevalent as organizations try to optimize their infrastructure to streamline costs.  However, inherent security risks are synonymous with Cloud computing, as hackers will target Cloud providers. 
5. The collective security consciousness will be raised.  Businesses large and small will adopt technologies to secure their Websites, regulations will be developed, and fines increased. Universities will make security, especially application security, a mandatory requirement for all development courses and there will be more regulations around cyber security including increases in fines to companies found negligent along with more severe criminal punishment for hackers. Yet, hackers will also become more organized and sophisticated.

by
Mandeep Khera, CMO
Mandeep@cenzic.com

As of February 5, 2010 Cenzic now detects an Apache 1.3 mod_proxy HTTP Chunked Encoding Integer Overflow Vulnerability (BugtraqID 37966).  An attacker can exploit the Apache remote integer overflow vulnerability and execute arbitrary code.  Successful exploits will compromise affected computers.  Failed exploit attempts will result in a denial-of-service condition.  Note that this issue affects platforms on which 'sizeof(int)' is less than 'sizeof(long)'.  In particular, this occurs on some 64-bit architectures.  Versions prior to Apache 1.3.42 are vulnerable.
                  
Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to better detect "holes" in Web applications.  These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
Eswanson@cenzic.com

I just got back from the cocktail reception that kicked off the SANS Application Security Conference held at the Sheraton Fisherman’s Wharf Hotel in San Francisco this year. 

So stop tomorrow (Feb 4) for a free lunch at 12:30 PM in the President’s Ballroom and hear our esteemed CTO, Lars Ewe, present on “AJAX:  The Truth Behind the Hype”.  Lars is also a panelist in the SANS vendor tools shootout (along with IBM and Vericode) at 4:30 PM. 

Some of the things you’ll learn at the SANS Application Security Conference include:

1. The essentials of a comprehensive Web site security program and how to secure a Website
2. The most current information on Web hacking techniques and how to guard against these prevalent Web vulnerabilities
3. Unique procurement practices that will help manage application security outsourcing and improve application security
4. The confessions of a professional Web application hacker
5. What your peers are doing to secure their Web applications and Web application best practices
6. What tools are available and how do they compare? Which tools should you have in your security toolbox to ensure your applications are locked up tight.

Looking forward to seeing you there!

by
Angel Oberoi
Angel@cenzic.com

February 2-3, 2010 marks the annual Cyber Security Expo in Washington DC this week.  So if you’re in town, stop by the Cenzic booth #52 and attend the show to learn about cyber security threats / vulnerabilities and defensive capabilities available.  The event is located at the Ronald Reagan Building & International Trade Center.

by
Angel Oberoi
Angel@cenzic.com