If case you haven’t had a chance to read OWASP’s latest security spending report, I suggest you take a peek over the long holiday weekend.   

Key findings of this study are:

• Organizations that have suffered a public data breach spend more on security in the development process than those that have not.
• Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.
• Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training.
• At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).

by
Erin Swanson
Eswanson@cenzic.com

There’s been a lot chat on Twitter recently about HTTP Parameter Pollution,  so I wanted to describe the vulnerability in more detail and how Cenzic can detect it in its latest SmartAttack release.

What is HTTP Parameter Pollution?
An HTTP Parameter Pollution is where an attacker can submit additional parameters to a Web application -- and if these parameters have the same name as an existing parameter -- the Web application may react in one of the following ways -

• It may only take the data from the first parameter
• It may take the data from the last parameter
• It may take the data from all parameters and concatenate them together

Such results enable the attackers to distribute attack payloads across multiple parameters to evade signature-based filters.  For more details about the attack, visit this blog post and/or read this recent PowerPoint presentation delivered at an OWASP European meeting.

How to Detect an HTTP Parameter Pollution Vulnerability:
The latest Cenzic SmartAttack walks the traversal and identifies HTTP requests that are candidates for fault injection.  For each candidate request, the SmartAttack sends a series of pairs of injected requests with each parameter repeated once with its original value and once with an incorrect value.

If the application gives different responses for the original and the injected injection request, it ensures that the application is blindly looking at the last occurrence of the parameter and the SmartAttack generates a Failure.

by
Erin Swanson
ESwanson@cenzic.com

If you missed the live Forrester event on the 5 top reasons why you need Web application security now, then get the recording and the slides. 

Just fill out our short Web registration form to learn:

• Complexities around application security
• Cost of not doing anything
• Easier and cheaper solutions to secure your Web applications in this tough economy

Presenters:  
Chenxi Wang, Senior Analyst at Forrester Research and
Mandeep Khera, CMO of Cenzic

by
Angel Oberoi
Angel@cenzic.com

MasterCard issued new requirements for PCI compliance for Level 2 merchants -- they will soon be required to do an annual on-site audit.  This used to be a requirement for Level 1 merchants only.  Level 1 merchants are retailers doing more than 6 million credit card transactions a year where as Level 2 merchants do between 1 million and 6 million transactions. The requirements go into effect on December 31, 2010.

MasterCard's intentions are good, as they are trying to ensure retailers have better controls.  However, I still believe that instead of creating more bureacracy and audits, we need to focus more on looking at the requirements of the PCI standard and clarifying what to do.

PCI Data Security Standard is a good thing and has raised awareness for security issues for the merchants.  But most merchants, especially the smaller ones, are still confused on what to do.  

Merchants who are attaining compliance out of fear are being lulled into a false sense of security by run-of-the-mill vendors who issue a certificate for a few hundred bucks.  Here's my 5-step recommended plan for a better process on making sure that merchants get a tighter security for their infrastructure:

1. Education:  Focus on educating merchants on different levels of security. Credit card companies should offer free Web seminars and courses to help merchants in basic security issues.
2. Clear rules:  PCI concil should continue to work on clarifying the requirements and how to get compliant. The last version helped and hopefully we can keep simpifying the standard. For example, throwing an app firewall at the problem does not equal secure applications.
3. Subsidies:  Credit card companies should provide subsidies for smaller merchants who can't afford to pay for security. 
4. Focus on the Weakest link:  With 80% of attacks happening through the Web applications, it's the weakest link. Yet, most of the focus of the standard is on network security. 
5. Enforcement and positive reinforcement:  With clear rules, subsidies, and education in place, there shouldn't be many excuses for merchants to not comply. Start enforcing by initial warning and then penalties. Give visibilty to the good merchants so they can increase their sales.

With over 250 million records stolen in 2008 alone, resulting in billions of dollars in losses, it's obvious that the current rules are not working.  Something has to change.  Period.

by
Mandeep Khera, CMO
Mandeep@cenzic.com

Well today’s the big day for our live Web seminar on Web security, presented by Forrester analyst Chenxi Wang.  Be sure to attend so you can ask her questions about the specifics of why the need is stronger than ever to protect your data.

We look forward to you “seeing” you later today!

Forrester Webcast:  5 reasons why you need Web security now

For:  Security professionals in charge of protecting Websites and ensuring regulatory compliance
Date: Thursday, June 11, 2009
Time: 11 am Pacific (2 pm Eastern)
Duration: 1 hour
Cost: Complimentary
Presenters:  
Chenxi Wang, Senior Analyst at Forrester Research and
Mandeep Khera, CMO of Cenzic

by
Erin Swanson
Eswanson@cenzic.com

Check out this hour-long podcast on PCI Compliance - Good Luck or Good Riddance, hosted by PaulDotCom.  It’s a great dialogue between the host and the panel speakers. 

PCI Roundtable Speakers:

• Ron Gula, Tenable Network Security
• Mandeep Khera, Cenzic
• Martin McKeay, Network Security Podcast
• Rich Mogull, Network Security Podcast/Securosis
• Anton Chuvakin, Qualys

Questions For Discussion:

1. What elements of PCI really help organizations protect sensitive information?
2. I have been certified as PCI compliant, I'm secure right?
3. Does PCI do more harm than good by giving people a false sense of security?
4. If you could make one improvement to PCI, what would it be?
5. Prescriptive compliance vs outcome-based compliance
6. Who do you fear more, hacker or auditor?
7. Does risk belong in compliance?
8. Where is value in compliance - in prescribing what to do or in motivating people to do SOMETHING?

by
Erin Swanson
Eswanson@cenzic.com

After hearing 2 stories today    (US Army Websites Hacked and Hackers Hit 40,000 Websites) about the plethora of Websites being hit with SQL Injection attacks, I thought this video was very appropriate. 

In a mere 3 minutes, you’ll see a great example of how this attack works.  The hacker first attempts to log into a University Website using a userid and password to illicit an error message.  Once the error message is displayed, he goes into the source code to make changes to the settings, allowing allow him to access the site off-line using his credentials.  The hacker now has full access to the entire database of students – grades, social security numbers, and dates of birth. 

And here's some information on testing for a SQL Injection vulnerability from About.com. 
 
by
Erin Swanson
Eswanson@cenzic.com