As part of its Application Security MythBusters series, Cenzic interviewed Dan Shoemaker, Co-Chair at the Department of Homeland Security and Professor at the University of Detroit Mercy.  When Cenzic’s Chief Marketing Officer, Mandeep Khera, asks Dan about his general observation of the state of Web application security, he answers in one word:  Abysmal. 

Dr. Shoemaker believes our nation is poised for a cyber security “9/11” type of attack based on the insecure state of our Web applications.  And if you’ve never been hacked, it’s like your company is an innocent lamb; a big target for the hacker wolves out there. 

He also tells a story about a large company (to remain nameless) that got hacked with the Slammer Virus on a Friday night.  But they reacted quickly and fixed the problem by Monday morning to the tune of $2M.  However, if the hacked would’ve occurred on a Tuesday, the costs to fix the attack would’ve skyrocketed to $100M.  So they were “lucky” based on the timing of attack. 

Take home message:  become a wolf or you’ll be quickly eaten by one. 

Listen to the full 11 minute podcast today!

If you have any other questions or topic suggestions about the latest myths out there, send an email to:  MythBusters@cenzic.com

by
Erin Swanson, Marketing
Eswanson@cenzic.com

We’re happy to announce Cenzic’s latest Web Application Security Trends Report – findings from Q3-Q4 2009.

The report, which illustrates trends among thousands of corporations, financial institutions and government agencies, incorporates findings from Cenzic’s leading-edge managed security assessment (SaaS) and research from Cenzic Intelligent Analysis (CIA) Labs.

Some of the key findings include:

• 82 percent of the total reported vulnerabilities affected Web technologies, such as Web servers, applications, Web browsers, Plugins and ActiveX, which is a significant increase from earlier in the year. 
• Of Web browser vulnerabilities Firefox had the largest percentage, at 44 percent but the browser also had the best patch ratio. Internet Explorer vulnerabilities came in at 25 percent. 
• Adobe, Sun and HP continue to be among the Top 10 vendors having the most severe vulnerabilities for the second half of 2009.

To download a PDF version of the Q3-Q4 2009 Trend Report, please visit:
http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q3-Q4-2009.pdf

For a hard copy of the full report you can also visit Cenzic at the RSA Conference in San Francisco from March 1-5 at booth #2624.

by
Mandeep Khera, CMO
Mandeep@cenzic.com

Make a trip to Sunnyvale next week to attend the OWASP Bay Area meeting where we’ve invited the top security professionals from SAP, Fujitsu, PARC, Stanford, and Berkeley to share their insights on the latest Web application security trends.

As you know, the attendance is free and some food and a few alcoholic beverages will be provided.  However, please note:  due to security issues at the location site (Fujitsu Offices), you must pre-register for the event!  The registration desk will also ask for your citizen / permanent residence status*.  Badges will be ready at the check-in lobby for pre-registered attendees.  You can't enter the meeting room without a badge. 

Register Today (space is limited and going fast)
http://owaspbayarea-feb2010.eventbrite.com/

Event Details

Date:  Thursday, February 25, 2010
Time:  1 – 8 PM
Location: 
Fujitsu Sunnyvale Campus (Building H)
1250 E. Arques Avenue
Sunnyvale, CA 94085

Agenda

Special thanks to Sree Rajan of Fujitsu for hosting this event and to Cenzic, AppSec Consulting, and Fujitsu for sponsoring.

*Fujitsu Policy:  Please note that you will be asked to sign and write down your country of citizenship in order to comply with US Customs regulations and C/TPAT (Customs Trade Partnership Against Terrorism) certifications. As part of the compliance, we regrettably are not able to allow attendance to those who hold the citizenship of Cuba, Iran, North Korea, Sudan, or Syria without a US Green Card. We sincerely apologize for any inconvenience this may cause.

by
Mandeep Khera, CMO at Cenzic
Mandeep@cenzic.com

Larry Suto has recently released a report comparing various Web vulnerability scanner products.  I’d like to thank Larry for his efforts and also point out that Cenzic encourages such comparisons, as they help users make more informed decisions.

That being said, some of the Larry’s results sparked our interest and raised a few questions.  As with any software product, results depend on how it’s configured and what assumptions are made.  Our Hailstorm product is being used by hundreds of customers who are extremely pleased with the results while testing thousands of applications on a monthly basis.  So we ran some of the test ourselves against the same target applications in an effort to better understand all of Larry’s findings.

Cenzic is a product of its innovation and responsiveness to our customers’ needs. We’ve always been (and continue to be) highly committed to on-going product improvements (where warranted), so we’re eager to learn as much from this report as possible.  Interestingly enough, however, our own results were somewhat different than Larry’s findings.  We're in current discussions with Larry to better understand how he configured the product and confirm his assumptions versus our own.  Hopefully I’ll be able to provide an update on that soon.

by
Lars Ewe, CTO
Lars@cenzic.com

Enterprise Systems Magazine just published my top 5 cyber security predictions for the upcoming decade and I wanted to share them with you.  I hope you enjoy them … and please send any comments my way as well.

Top 5 Cyber Security Predictions for the next 10 years:

1. Despite government efforts, cyber war will be more common with more severe Web application attacks. We’ve been predicting cyber wars for a couple of years and have started to see significant incidents in 2009.  In addition, hackers will target telecommunications and utility infrastructures of key nations. 
2. Social network sites like Facebook and Twitter will continue to be targeted for attacks due to their popularity and usage.  Game changing social networking apps will emerge each with a unique set of security challenges.  Social networking will become even more prevalent as hackers go after these user bases looking for personal financial information to enable them to siphon money from bank accounts and credit cards.  Data from social networks will also give rise to increased identity theft as hackers sort through social networks to gather clues to unlock passwords and steal identities. 
3. The rise in Smartphone use, particularly the popularity of specific phones (i.e. the iPhone), begets an escalation in mobile app use as more and more people use phone apps to enhance both their business and personal worlds.  These downloadable apps will increasingly become a target for hackers who see millions of potential targets, most of which use a Web infrastructure for hackers to exploit. 
4. Cloud computing will become more prevalent as organizations try to optimize their infrastructure to streamline costs.  However, inherent security risks are synonymous with Cloud computing, as hackers will target Cloud providers. 
5. The collective security consciousness will be raised.  Businesses large and small will adopt technologies to secure their Websites, regulations will be developed, and fines increased. Universities will make security, especially application security, a mandatory requirement for all development courses and there will be more regulations around cyber security including increases in fines to companies found negligent along with more severe criminal punishment for hackers. Yet, hackers will also become more organized and sophisticated.

by
Mandeep Khera, CMO
Mandeep@cenzic.com