If case you haven’t had a chance to read OWASP’s latest security spending report, I suggest you take a peek over the long holiday weekend.   

Key findings of this study are:

• Organizations that have suffered a public data breach spend more on security in the development process than those that have not.
• Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.
• Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training.
• At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).

by
Erin Swanson
Eswanson@cenzic.com

If you are looking for a Web vulnerability scanning product – either software or SaaS – you should check out Cenzic.  We just launched our 6.0 release of both products – Cenzic Hailstorm (software) and Cenzic ClickToSecure (SaaS). 

Read what’s new in our SaaS product here.  Some feature highlights include: 

• Pages Visited –  Monitors URL Requests during & after Assessment runs 
• Web Application Firewall (Imperva/SecureSphere) integration
• Ability to request Assessments in multiple ways
• Ability to run and schedule self Assessments
• Improved Web 2.0 support, specifically for Flash and AJAX based Web applications

by
Erin Swanson, Marketing
Eswanson@cenzic.com

Just in case you wanted to read the feature / benefit details about our latest Web application security software release, here’s some information.  It will be posted to our Website shortly, and as a customer, you’ll get a hard copy of it in the mail. 

It’s been two weeks since our launch and we’ve received nothing but positive praise from our users – so if you haven’t upgraded yet, do so before the July 4th weekend.   

by
Erin Swanson, Marketing
Eswanson@cenzic.com

There’s been a lot chat on Twitter recently about HTTP Parameter Pollution,  so I wanted to describe the vulnerability in more detail and how Cenzic can detect it in its latest SmartAttack release.

What is HTTP Parameter Pollution?
An HTTP Parameter Pollution is where an attacker can submit additional parameters to a Web application -- and if these parameters have the same name as an existing parameter -- the Web application may react in one of the following ways -

• It may only take the data from the first parameter
• It may take the data from the last parameter
• It may take the data from all parameters and concatenate them together

Such results enable the attackers to distribute attack payloads across multiple parameters to evade signature-based filters.  For more details about the attack, visit this blog post and/or read this recent PowerPoint presentation delivered at an OWASP European meeting.

How to Detect an HTTP Parameter Pollution Vulnerability:
The latest Cenzic SmartAttack walks the traversal and identifies HTTP requests that are candidates for fault injection.  For each candidate request, the SmartAttack sends a series of pairs of injected requests with each parameter repeated once with its original value and once with an incorrect value.

If the application gives different responses for the original and the injected injection request, it ensures that the application is blindly looking at the last occurrence of the parameter and the SmartAttack generates a Failure.

by
Erin Swanson
ESwanson@cenzic.com

As of June 26, 2009, Cenzic added its 101st SmartAttack to its latest 6.0 product suite:  HTTP Parameter Pollution Vulnerability (version 1.0). 

Published just a few days back, the HTTP Parameter Pollution Vulnerability is one of the newest ways hackers can exploit Web applications.  It pinpoints the anomaly in handling multiple occurrences of the same parameter by various platforms. This vulnerability plays the role of the "enabler", which can be exploited by an attacker to further craft complex and destructive attacks.  Due to the devastating nature of this attack, we created a new SmartAttack immediately to enable our customers to detect such vulnerabilities and avoid further attacks.   

Web Server Vulnerabilities SmartAttack Update

In this week’s update, we’ve also enhanced our Web Server Vulnerabilities SmartAttack to it can detect the PHP 'exif_read_data()' JPEG Image Processing Denial Of Service Vulnerability (BugtraqID 35440).  PHP is prone to a denial-of-service vulnerability in its 'exif_read_data()' function.  Successful exploits may allow remote attackers to cause denial-of-service conditions in applications that use the vulnerable function.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to better detect "holes" in Web applications.  These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
Eswanson@cenzic.com

It’s the time of year again to “get your geek on” as the Black Hat 2009 event is gearing up for another amazing display of the coolest security trends in hot Las Vegas, NV.   

The conference is held at Caesar’s Palace and starts at 8 AM sharp on Wednesday, July 29 and ends on that Thursday afternoon (July 30). 

Be sure to stop by Cenzic’s booth #17 to see our latest product suite release:  6.0. 

by
Angel Oberoi
Angel@cenzic.com

If you missed the live Forrester event on the 5 top reasons why you need Web application security now, then get the recording and the slides. 

Just fill out our short Web registration form to learn:

• Complexities around application security
• Cost of not doing anything
• Easier and cheaper solutions to secure your Web applications in this tough economy

Presenters:  
Chenxi Wang, Senior Analyst at Forrester Research and
Mandeep Khera, CMO of Cenzic

by
Angel Oberoi
Angel@cenzic.com

MasterCard issued new requirements for PCI compliance for Level 2 merchants -- they will soon be required to do an annual on-site audit.  This used to be a requirement for Level 1 merchants only.  Level 1 merchants are retailers doing more than 6 million credit card transactions a year where as Level 2 merchants do between 1 million and 6 million transactions. The requirements go into effect on December 31, 2010.

MasterCard's intentions are good, as they are trying to ensure retailers have better controls.  However, I still believe that instead of creating more bureacracy and audits, we need to focus more on looking at the requirements of the PCI standard and clarifying what to do.

PCI Data Security Standard is a good thing and has raised awareness for security issues for the merchants.  But most merchants, especially the smaller ones, are still confused on what to do.  

Merchants who are attaining compliance out of fear are being lulled into a false sense of security by run-of-the-mill vendors who issue a certificate for a few hundred bucks.  Here's my 5-step recommended plan for a better process on making sure that merchants get a tighter security for their infrastructure:

1. Education:  Focus on educating merchants on different levels of security. Credit card companies should offer free Web seminars and courses to help merchants in basic security issues.
2. Clear rules:  PCI concil should continue to work on clarifying the requirements and how to get compliant. The last version helped and hopefully we can keep simpifying the standard. For example, throwing an app firewall at the problem does not equal secure applications.
3. Subsidies:  Credit card companies should provide subsidies for smaller merchants who can't afford to pay for security. 
4. Focus on the Weakest link:  With 80% of attacks happening through the Web applications, it's the weakest link. Yet, most of the focus of the standard is on network security. 
5. Enforcement and positive reinforcement:  With clear rules, subsidies, and education in place, there shouldn't be many excuses for merchants to not comply. Start enforcing by initial warning and then penalties. Give visibilty to the good merchants so they can increase their sales.

With over 250 million records stolen in 2008 alone, resulting in billions of dollars in losses, it's obvious that the current rules are not working.  Something has to change.  Period.

by
Mandeep Khera, CMO
Mandeep@cenzic.com

As of June 19, 2009, Cenzic can detect the Apache Tomcat XML Parser Information Disclosure Vulnerability (BugtraqID 35416).  Apache Tomcat is prone to an Information Disclosure Vulnerability where attackers can exploit this issue to obtain sensitive information that may lead to further attacks.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to better detect "holes" in Web applications.  These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
Eswanson@cenzic.com

Cenzic, in collaboration with its South African partner, CentricEdge, was a sponsor at this year’s ITWeb Annual Security Summit to educate audience members on Web application security. 

The South African event highlighted tools, techniques, and strategies for organizations to adopt in order to better safeguard their information.  Key themes at this year’s event included cybercrime, mobile security, security in the cloud, AV malware, threat modelling, the security development lifecycle, PCI compliance, Web security, virtualization and security, and vulnerability management. 

We’d like to thank CenzicEdge for creating the tradeshow display containing Cenzic branding along with pitching our technology to a new audience.  Their Website is under maintenance at the moment, but check back soon to learn more about this company: www.centricedge.co.za

by
Chris Carvacho, Sales Ops
CCarvacho@cenzic.com

Today’s launch day here at Cenzic – we have the latest releases for both our software and cloud computing products that will help you better protect your Websites from hackers. 

Cenzic's 6.0 Product Suite (Click-to-Secure, Hailstorm Enterprise ARC and Hailstorm Professional) now includes:

• More self-service capabilities for SaaS customers
• Significant enhancements to vulnerability findings in Web 2.0 technologies such as Ajax and Flash
• Real-time monitoring of application assessments with actionable results
• Integration with Imperva’s SecureSphere Web Application Firewall allowing for the export of assessment results
• User interface and dashboard improvements for ease of use and manageability
• Full support for CVE and CWE IDs maintained by MITRE
• Increased scalability with parallel processing to allow for running multiple assessments
• Improved spidering features to strengthen application coverage
• Integration with IBM Rational ClearQuest

So take a test drive of our latest product suite today!

by
Erin Swanson, Marketing
Eswanson@cenzic.com

As of June 12, 2009, Cenzic can detect the Apache Tomcat Form Authentication Existing/Non-Existing Username Enumeration Weakness Vulnerability (BugtraqID 35196).  Apache Tomcat is prone to a username-enumeration weakness because it displays different responses to login attempts, depending on whether or not the username exists.  Attackers may exploit this weakness to discern valid usernames. This may aid them in brute-force password cracking or other attacks.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to better detect "holes" in Web applications.  These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
Eswanson@cenzic.com

Well today’s the big day for our live Web seminar on Web security, presented by Forrester analyst Chenxi Wang.  Be sure to attend so you can ask her questions about the specifics of why the need is stronger than ever to protect your data.

We look forward to you “seeing” you later today!

Forrester Webcast:  5 reasons why you need Web security now

For:  Security professionals in charge of protecting Websites and ensuring regulatory compliance
Date: Thursday, June 11, 2009
Time: 11 am Pacific (2 pm Eastern)
Duration: 1 hour
Cost: Complimentary
Presenters:  
Chenxi Wang, Senior Analyst at Forrester Research and
Mandeep Khera, CMO of Cenzic

by
Erin Swanson
Eswanson@cenzic.com

As of June 5, 2009, Cenzic can detect the Apache Tomcat Java AJP Connector Invalid Header Denial of Service Vulnerability (BugtraqID 35193).   Apache Tomcat is prone to a denial-of-service vulnerability.  Attackers can exploit this issue and cause the server to end up in an error state, denying service to legitimate users.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to better detect "holes" in Web applications.  These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
Eswanson@cenzic.com

It’s that time of year again – June means you’ve got to attend the 2009 SANSFire event to learn the latest trends in Web security.  If you’re in Baltimore, be sure to stop by the Cenzic booth #14, as we’ll be giving away $50 AmEx gift cards, free Web security scans of your Website (up to 50 pages), and iTunes music.      

Oh, and we’re also sponsoring a lunch and learn – eat while learning about the latest hacking techniques.

Event Details
SANSFire 2009, June 16-17, 2009
http://www.sans.org/sansfire09/event.php

Venue
Hilton Baltimore
401 West Pratt Street
Baltimore, MD 21201 US
Phone: 443-573-8700

Vendor Expo 
Cenzic will be at Booth # 14
Tuesday, June 16: 12:00pm - 1:30pm and
5:00pm - 7:30pm
Wednesday, June 17: 7:00am - 8:30am * NEW TIME!

Cenzic Lunch & Learn
12:30-1:15 pm on June 17 at Room Billie Holiday 5
Hacking 101: How Hackers Attack your Website and the Common Mistakes to Avoid

What are some of the latest attacks Hackers use to exploit Websites? With 400 new Web vulnerabilities a month (and growing) - you need to keep ahead of the hacker curve and address these attacks and security concerns head-on!

Attend this interactive Cenzic Lunch & Learn demo to see examples of some of the most complicated Web application attacks used by hackers, and learn the ways you can prevent hacker attacks.

by
Angel Oberoi
Angel@cenzic.com

Check out this hour-long podcast on PCI Compliance - Good Luck or Good Riddance, hosted by PaulDotCom.  It’s a great dialogue between the host and the panel speakers. 

PCI Roundtable Speakers:

• Ron Gula, Tenable Network Security
• Mandeep Khera, Cenzic
• Martin McKeay, Network Security Podcast
• Rich Mogull, Network Security Podcast/Securosis
• Anton Chuvakin, Qualys

Questions For Discussion:

1. What elements of PCI really help organizations protect sensitive information?
2. I have been certified as PCI compliant, I'm secure right?
3. Does PCI do more harm than good by giving people a false sense of security?
4. If you could make one improvement to PCI, what would it be?
5. Prescriptive compliance vs outcome-based compliance
6. Who do you fear more, hacker or auditor?
7. Does risk belong in compliance?
8. Where is value in compliance - in prescribing what to do or in motivating people to do SOMETHING?

by
Erin Swanson
Eswanson@cenzic.com

After hearing 2 stories today    (US Army Websites Hacked and Hackers Hit 40,000 Websites) about the plethora of Websites being hit with SQL Injection attacks, I thought this video was very appropriate. 

In a mere 3 minutes, you’ll see a great example of how this attack works.  The hacker first attempts to log into a University Website using a userid and password to illicit an error message.  Once the error message is displayed, he goes into the source code to make changes to the settings, allowing allow him to access the site off-line using his credentials.  The hacker now has full access to the entire database of students – grades, social security numbers, and dates of birth. 

And here's some information on testing for a SQL Injection vulnerability from About.com. 
 
by
Erin Swanson
Eswanson@cenzic.com