| Monthly Archives |  | August, 2010 |  | July, 2010 |  | June, 2010 |  | May, 2010 |  | April, 2010 |  | March, 2010 |  | February, 2010 |  | January, 2010 |  | December, 2009 |  | November, 2009 |  | October, 2009 |  | September, 2009 |  | August, 2009 |  | July, 2009 |  | June, 2009 |  | May, 2009 |  | April, 2009 |  | March, 2009 |  | February, 2009 |  | January, 2009 |  | December, 2008 |  | November, 2008 |  | October, 2008 |  | September, 2008 |  | August, 2008 |  | July, 2008 |  | June, 2008 |  | May, 2008 |  | October, 2007 |

|  | THE CENZIC BLOG Web Application Security Insights | Trends, opinions, and insights from web application security experts. | |
This blog features insights from industry specialist and guest bloggers who are veterans in the security space including web application security.
Read the latest trends, opinions and rumors from the nerds in the trenches.
Topics include: web application security, application security,
web application scanner, application scanner, application pen testing, security trends,
security industry, security report, web application security testing, application security service.
| |
|
| | August 30, 2010 | | BP online presence defaced via Cross Site Scripting (XSS) Vulnerability by hacking community | BP continues to be the subject of criticism following the Deepwater Horizon oil spill, as the hacking community is taking umbrage to some of BP’s recent public relations activities in the online arena, such as a recent website defacement via Cross-Site Scripting (XSS).
Specifically, reactions to BP’s having bought the sponsored link for the search term ‘oil spill’ seems to have triggered resentment in the form of both reconnaissance work, a Twitter account compromise, and an amusing cross site scripting vulnerability.
According to the article, the XSS ought to be corrected, and dual factor authentication on VPN’s is kind of a must have at this point. And BP should also undertake a security audit of their perimeter, web properties, online services used, and security policies.
by Erin Swanson, Marketing Eswanson@cenzic.com | | |
| | August 23, 2010 | | Cross Site Scripting (XSS) Vulnerability on Twitter exploited by Turkish Hackers | As part of our blog series on highlighting specific website attacks occurring in the real world, we’d like to highlight the popular vulnerability that hackers love to exploit: Cross-Site Scripting (XSS).
Back in June 2010, a persistent Cross-Site Scripting Vulnerability (XSS) on Twitter’s website was exploited by Turkish hackers to post a rogue status, “Hacked by Turkish Hackers”.
Twitter quickly fixed the vulnerability, but continues to suffer from bad press about a variety of hacks on their popular social network site.
by Mandeep Khera, CMO Mandeep@cenzic.com | | |
| | August 19, 2010 | | Hackers exploited a Session Management Vulnerability in the AT&T’s network to gain iPad User information | As part of our blog series on highlighting specific website attacks occurring in the real world, we’d be amiss if we didn’t mention the session management vulnerability that was exploited to gain iPad user information back in June 2010.
A security flaw in AT&T's network exposed the e-mail addresses of more than 100,000 owners of Apple's 3G iPad. The security hole was uncovered by Goatse Security, a group known among security experts as hackers who enjoy pulling Web pranks. The group exploited a session prediction vulnerability which allowed the hackers to write a script to predict the iPad owners' unique identification numbers to obtain their e-mail addresses.
The list of exposed owners included New York Mayor Michael Bloomberg, White House Chief of Staff Rahm Emanuel and other powerful figures in finance, media and politics.
by Mandeep Khera, CMO Mandeep@cenzic.com | | |
| | August 16, 2010 | | Watch this video on application security MythBusters featuring Cenzic CEO, John Weinschenk | As part of its Application Security MythBusters series, Cenzic interviewed John Weinschenk, President and CEO of Cenzic.
When Cenzic’s Chief Marketing Officer, Mandeep Khera, asks John about the state of Web application security, he answers that despite the plethora of hacking going on, people are still in denial about their websites not being secure. Mr. Weinschenk believes that other security solutions like SSL have a place, but they won’t protect sensitive data.
Watch the 4 minute video today!
If you have any other questions or topic suggestions about the latest myths out there, send an email to: MythBusters@cenzic.com
by Erin Swanson, Marketing Eswanson@cenzic.com | | |
| | August 12, 2010 | | Back in June 2010 hackers exploited a SQL vulnerability on thousands of websites | This post will be the first among many where we’ll highlight specific website attacks occurring in the real world. In June 2010, hackers exploited a SQL vulnerability on more than 100,000 webpages, including victims as diverse as The Wall Street Journal, TomTom, and the UK's Strathclyde police were hit by an attack that redirected visitors to a website that attempted to install malware on their machines.
The sites were infected using SQL injection exploits, which allow attackers to tamper with a server's database by typing commands into user-input fields. The hackers used the exploit to plant iframes in the compromised sites that redirected visitors to robint.us. Malicious JavaScript on that site attempted to infect end users with malware dubbed Mal/Behav-290.
by Mandeep Khera, CMO Mandeep@cenzic.com | | |
| | August 11, 2010 | | Watch this video on application security MythBusters featuring Chenxi Wang of Forrester Research | As part of its Application Security MythBusters series, Cenzic interviewed Chenxi Wang, Ph.D., Principal Analyst at Forrester Research.
When Cenzic’s Chief Marketing Officer, Mandeep Khera, asks Dr. Wang on her perspective about the state of Web application security, she answers in one word: abysmal. According to this analyst, very few people even realize the dangers of working with so many unprotected web applications.
And as far as PCI compliance goes, Chenxi agrees that the regulation is a great step forward towards a more secure Internet but on the flip side, it enables people to have a “check box” mentality. She suggests that every company should be continuously auditing their applications and going deeper than the basic PCI compliance tests.
And like other speakers on this video series, Dr. Wang believes more secure code training is needed in order to solve the problem at its root. In the meantime, companies must spend money on fixing their applications.
Watch the 8 minute video today!
If you have any other questions or topic suggestions about the latest myths out there, send an email to: MythBusters@cenzic.com
by Erin Swanson, Marketing Eswanson@cenzic.com | | |
|
|
|  | |