What's New | Cenzic Security Blog

Cenzic Detects an Apache Denial of Service Vulnerability

Fri, 12 Mar 2010 14:29:47 -0500

Weekly product update – Cenzic detects an Apache Denial of Service Vulnerability

As of March 12, 2010 Cenzic now detects an Apache mod_proxy_ajp Module Incoming Request Body Denial Of Service Vulnerability (BugtraqID 38491). Successful exploits may allow remote attackers to cause denial-of-service conditions.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to better detect "holes" in Web applications. These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
Eswanson@cenzic.com

Dan Shoemaker Featured on Application Security MythBusters Series

Mon, 08 Mar 2010 21:18:55 -0500

Podcast on application security MythBusters featuring Dan Shoemaker, co-chair at the Dept. of Homeland Security and professor at Univ. of Detroit Mercy

As part of its Application Security MythBusters series, Cenzic interviewed Dan Shoemaker, Co-Chair at the Department of Homeland Security and Professor at the University of Detroit Mercy. When Cenzic’s Chief Marketing Officer, Mandeep Khera, asks Dan about his general observation of the state of Web application security, he answers in one word: Abysmal.

Dr. Shoemaker believes our nation is poised for a cyber security “9/11” type of attack based on the insecure state of our Web applications. And if you’ve never been hacked, it’s like your company is an innocent lamb; a big target for the hacker wolves out there.

He also tells a story about a large company (to remain nameless) that got hacked with the Slammer Virus on a Friday night. But they reacted quickly and fixed the problem by Monday morning to the tune of $2M. However, if the hacked would’ve occurred on a Tuesday, the costs to fix the attack would’ve skyrocketed to $100M. So they were “lucky” based on the timing of attack.

Take home message: become a wolf or you’ll be quickly eaten by one.

Listen to the full 11 minute podcast today!

If you have any other questions or topic suggestions about the latest myths out there, send an email to: MythBusters@cenzic.com

by
Erin Swanson, Marketing
Eswanson@cenzic.com

Cenzic Detects a PHP Validation Restriction-Bypass Vulnerability

Fri, 05 Mar 2010 12:21:58 -0500

Weekly product update – Cenzic detects a PHP Validation Restriction-Bypass Vulnerability

As of March 5, 2010 Cenzic now detects a PHP 'tempnam()' 'safe_mode' Validation Restriction-Bypass Vulnerability (BugtraqID 38431). Successful exploits allow attackers to access files in unauthorized locations or create files in any writable directory. This vulnerability is an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code; the 'safe_mode' restrictions are assumed to isolate users from each other. PHP 5.2.12 and prior versions are affected.

by
Erin Swanson
Eswanson@cenzic.com

Cenzic Hailstorm 6.5 Release

Thu, 04 Mar 2010 16:28:17 -0500

Find out the latest features and benefits in the Cenzic Hailstorm 6.5 release

We just announced our latest 6.5 release on our Cenzic Hailstorm software product suite today.

You can download the “What’s New in Cenzic Hailstorm 6.5” brochure to read more about the following:

Open API enables enterprise integrations to other applications
Significant web crawling improvements, which allow customers to initiate comprehensive security scans against a wider variety of Web applications built with diverse web technologies
Enhanced enterprise capabilities such as asynchronous execution engines, floating licensing and logging improvements
Improved user interface for easier group workflow and highlighting additional details on assessments, severity levels, and user comments

Free Customer Training

If you are already a customer, be sure to sign up for our customer training on Thursday, March 18 at 11 AM Pacific. Jon Zucker, our product management guru, will walk you through all the important features. Expect an email invite by next week.

by
Erin Swanson
Eswanson@cenzic.com

Web Application Security Trends Report

Tue, 02 Mar 2010 18:09:50 -0500

Read the latest stats on the Web application security trends for the last half of 2009

We’re happy to announce Cenzic’s latest Web Application Security Trends Report – findings from Q3-Q4 2009.

The report, which illustrates trends among thousands of corporations, financial institutions and government agencies, incorporates findings from Cenzic’s leading-edge managed security assessment (SaaS) and research from Cenzic Intelligent Analysis (CIA) Labs.

Some of the key findings include:

82 percent of the total reported vulnerabilities affected Web technologies, such as Web servers, applications, Web browsers, Plugins and ActiveX, which is a significant increase from earlier in the year.
Of Web browser vulnerabilities Firefox had the largest percentage, at 44 percent but the browser also had the best patch ratio. Internet Explorer vulnerabilities came in at 25 percent.
Adobe, Sun and HP continue to be among the Top 10 vendors having the most severe vulnerabilities for the second half of 2009.

To download a PDF version of the Q3-Q4 2009 Trend Report, please visit:
http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q3-Q4-2009.pdf

For a hard copy of the full report you can also visit Cenzic at the RSA Conference in San Francisco from March 1-5 at booth #2624.

by
Mandeep Khera, CMO
Mandeep@cenzic.com

RSA Conference 2010 Reception

Tue, 02 Mar 2010 17:07:41 -0500

RSVP to attend the RSA Conference 2010 reception on Wednesday, March 3 at Jillians’ Bar & Billiards Lounge

Please join us for the RSA Conference 2010 reception on Wednesday, March 3 at Jillians’ Bar & Billiards Lounge in the Metreon – located on Level One, immediately adjacent to the Moscone Convention Center.

RSVP to reserve your spot:
Email: aoberoi@cenzic.com
Phone: (408) 200-0742

Tickets will also be available on a first-come, first serve basis at the Cenzic booth (#2624) at the RSA Conference.

Reception Details:

Date: Wednesday, March 3, 2010
Time: 9 PM to Midnight
Location: Jillian’s Bar & Billiards Lounge
101 Fourth Street
San Francisco, CA 94103

by
Angel Oberoi, Marketing
Angel@cenzic.com

Cenzic Detects a Sun Java System App Server HTTP TRACE Information Disclosure Vulnerability

Fri, 26 Feb 2010 12:55:14 -0500

Weekly product update – Cenzic detects a Sun Java System App Server HTTP TRACE Information Disclosure Vulnerability

As of February 26, 2010 Cenzic now detects a Sun Java System App Server HTTP TRACE Information Disclosure Vulnerability (BugtraqID 37995). The Sun Java System Application Server is prone to a remote information-disclosure vulnerability. Attackers can exploit this issue to obtain potentially sensitive information that can aid in further attacks.

by
Erin Swanson
Eswanson@cenzic.com

Cenzic Detects a Sun Java System Web Server Denial Of Service Vulnerability

Fri, 19 Feb 2010 21:13:41 -0500

Weekly product update – Cenzic detects a Sun Java System Web Server Denial Of Service Vulnerability

As of February 19, 2010 Cenzic now detects a Sun Java System Web Server 'admin' Server Denial of Service Vulnerability (BugtraqID 37909). An attacker can exploit this issue to crash the effected application, denying service to legitimate users. Sun Java System Web Server 7.0 Update 6 is affected; other versions may also be vulnerable.

by
Erin Swanson
Eswanson@cenzic.com

OWASP Feb 25 Meeting: SAP, Fujitsu, PARC, Stanford, Berkeley Presenting

Thu, 18 Feb 2010 19:16:44 -0500

Attend the latest OWASP meeting to hear insights on Web application security from SAP, Fujitsu, PARC, Stanford, and Berkeley

Make a trip to Sunnyvale next week to attend the OWASP Bay Area meeting where we’ve invited the top security professionals from SAP, Fujitsu, PARC, Stanford, and Berkeley to share their insights on the latest Web application security trends.

As you know, the attendance is free and some food and a few alcoholic beverages will be provided. However, please note: due to security issues at the location site (Fujitsu Offices), you must pre-register for the event! The registration desk will also ask for your citizen / permanent residence status*. Badges will be ready at the check-in lobby for pre-registered attendees. You can't enter the meeting room without a badge.

Register Today (space is limited and going fast)
http://owaspbayarea-feb2010.eventbrite.com/

Event Details

Date: Thursday, February 25, 2010
Time: 1 – 8 PM
Location:
Fujitsu Sunnyvale Campus (Building H)
1250 E. Arques Avenue
Sunnyvale, CA 94085

Agenda

1:00-1:15 PM	Check-in, registration, networking
1:15-1:30 PM	Welcome Remarks and Overview of OWASP Bay Area Mandeep Khera, Bay Area Chapter Leader, Cenzic
1:30-2:15 PM	Keynote Vishal Sikka, CTO, SAP
2:15-3:00 PM	WebBlaze: New Techniques and Tools for Web Security Dawn Song, Associate Professor, UC Berkeley
3:00-3:30 PM	Networking Break, refreshments
3:30-4:00 PM	State of the Art: Automated Black Box Web App Testing John Mitchell, Professor & Jason Bau, PH.D. Candidate Stanford University
4:00-4:30 PM	Controlling Data in the Cloud: Outsourcing Computation without Outsourcing Control Richard Chow, PARC
4:30–5:00 PM	Presentation Title, TBD Praveen Murthy, Fujitsu
5:00-6:00 PM	Panel Discussion Application Security Issues: Cloud Security, Inertia, and the Future Q&A from the audience
6:30-8:00 PM	Networking Reception - Dinner and Drinks!

Special thanks to Sree Rajan of Fujitsu for hosting this event and to Cenzic, AppSec Consulting, and Fujitsu for sponsoring.

*Fujitsu Policy: Please note that you will be asked to sign and write down your country of citizenship in order to comply with US Customs regulations and C/TPAT (Customs Trade Partnership Against Terrorism) certifications. As part of the compliance, we regrettably are not able to allow attendance to those who hold the citizenship of Cuba, Iran, North Korea, Sudan, or Syria without a US Green Card. We sincerely apologize for any inconvenience this may cause.

by
Mandeep Khera, CMO at Cenzic
Mandeep@cenzic.com

Cenzic Detects an IBM WAS Security Bypass Vulnerability

Fri, 12 Feb 2010 18:24:36 -0500

Weekly product update – Cenzic detects an IBM WAS Security Bypass Vulnerability

As of February 12, 2010 Cenzic now detects an IBM WebSphere Application Server 'Requires SSL' Option Security Bypass Vulnerability (BugtraqID 38122). IBM WebSphere Application Server (WAS) is prone to a security-bypass vulnerability. Successful exploits allow attackers to bypass certain security restrictions, which may lead to other attacks. This issue affects WAS 7.0 through 7.0.0.8.

Have a great 3-day weekend everyone!

by
Erin Swanson
Eswanson@cenzic.com

Web Vulnerability Scanner Comparison

Wed, 10 Feb 2010 22:55:08 -0500

Remarks on the recent Web vulnerability scanner comparison by Larry Suto

Larry Suto has recently released a report comparing various Web vulnerability scanner products. I’d like to thank Larry for his efforts and also point out that Cenzic encourages such comparisons, as they help users make more informed decisions.

That being said, some of the Larry’s results sparked our interest and raised a few questions. As with any software product, results depend on how it’s configured and what assumptions are made. Our Hailstorm product is being used by hundreds of customers who are extremely pleased with the results while testing thousands of applications on a monthly basis. So we ran some of the test ourselves against the same target applications in an effort to better understand all of Larry’s findings.

Cenzic is a product of its innovation and responsiveness to our customers’ needs. We’ve always been (and continue to be) highly committed to on-going product improvements (where warranted), so we’re eager to learn as much from this report as possible. Interestingly enough, however, our own results were somewhat different than Larry’s findings. We're in current discussions with Larry to better understand how he configured the product and confirm his assumptions versus our own. Hopefully I’ll be able to provide an update on that soon.

by
Lars Ewe, CTO
Lars@cenzic.com

ISC2 Security Leadership Event

Mon, 08 Feb 2010 16:46:46 -0500

Attend the ISC2 Security Leadership event tomorrow in San Jose, CA

If you happen to be in the heart of Silicon Valley on February 9, 2010, then attend the ISC2 Security Leadership event at the Double Tree Hotel in San Jose, CA.

The all-day event (9-5 pm) will focus on how to measure your security success (or failure), so be prepared to hear ways you can explore methods for determining how well you’re managing the limited labor, capital, and technology resources.

Event Details:

ISC2 Security Leadership Seminar

Title: Fact not FUD: Managing What You Can Measure
Date: Tuesday, February 9, 2010
Time: 9 – 5 PM
Location: Double Tree Hotel in San Jose, CA

See you there tomorrow!

by
Angel Oberoi, Marketing
Angel@cenzic.com

Cyber Security Predictions for the Next Decade

Mon, 08 Feb 2010 16:28:22 -0500

Top 5 cyber security predictions for the upcoming decade

Enterprise Systems Magazine just published my top 5 cyber security predictions for the upcoming decade and I wanted to share them with you. I hope you enjoy them … and please send any comments my way as well.

Top 5 Cyber Security Predictions for the next 10 years:

Despite government efforts, cyber war will be more common with more severe Web application attacks. We’ve been predicting cyber wars for a couple of years and have started to see significant incidents in 2009. In addition, hackers will target telecommunications and utility infrastructures of key nations.
Social network sites like Facebook and Twitter will continue to be targeted for attacks due to their popularity and usage. Game changing social networking apps will emerge each with a unique set of security challenges. Social networking will become even more prevalent as hackers go after these user bases looking for personal financial information to enable them to siphon money from bank accounts and credit cards. Data from social networks will also give rise to increased identity theft as hackers sort through social networks to gather clues to unlock passwords and steal identities.
The rise in Smartphone use, particularly the popularity of specific phones (i.e. the iPhone), begets an escalation in mobile app use as more and more people use phone apps to enhance both their business and personal worlds. These downloadable apps will increasingly become a target for hackers who see millions of potential targets, most of which use a Web infrastructure for hackers to exploit.
Cloud computing will become more prevalent as organizations try to optimize their infrastructure to streamline costs. However, inherent security risks are synonymous with Cloud computing, as hackers will target Cloud providers.
The collective security consciousness will be raised. Businesses large and small will adopt technologies to secure their Websites, regulations will be developed, and fines increased. Universities will make security, especially application security, a mandatory requirement for all development courses and there will be more regulations around cyber security including increases in fines to companies found negligent along with more severe criminal punishment for hackers. Yet, hackers will also become more organized and sophisticated.

by
Mandeep Khera, CMO
Mandeep@cenzic.com

Cenzic Detects an Apache Integer Overflow Vulnerability

Fri, 05 Feb 2010 15:49:36 -0500

Weekly product update – Cenzic detects an Apache Integer Overflow Vulnerability

As of February 5, 2010 Cenzic now detects an Apache 1.3 mod_proxy HTTP Chunked Encoding Integer Overflow Vulnerability (BugtraqID 37966). An attacker can exploit the Apache remote integer overflow vulnerability and execute arbitrary code. Successful exploits will compromise affected computers. Failed exploit attempts will result in a denial-of-service condition. Note that this issue affects platforms on which 'sizeof(int)' is less than 'sizeof(long)'. In particular, this occurs on some 64-bit architectures. Versions prior to Apache 1.3.42 are vulnerable.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to better detect "holes" in Web applications. These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
Eswanson@cenzic.com

SANS Application Security 2010 Conference

Wed, 03 Feb 2010 18:16:18 -0500

We hope to see you at the SANS Application Security 2010 Conference in San Francisco

I just got back from the cocktail reception that kicked off the SANS Application Security Conference held at the Sheraton Fisherman’s Wharf Hotel in San Francisco this year.

So stop tomorrow (Feb 4) for a free lunch at 12:30 PM in the President’s Ballroom and hear our esteemed CTO, Lars Ewe, present on “AJAX: The Truth Behind the Hype”. Lars is also a panelist in the SANS vendor tools shootout (along with IBM and Vericode) at 4:30 PM.

Some of the things you’ll learn at the SANS Application Security Conference include:

The essentials of a comprehensive Web site security program and how to secure a Website
The most current information on Web hacking techniques and how to guard against these prevalent Web vulnerabilities
Unique procurement practices that will help manage application security outsourcing and improve application security
The confessions of a professional Web application hacker
What your peers are doing to secure their Web applications and Web application best practices
What tools are available and how do they compare? Which tools should you have in your security toolbox to ensure your applications are locked up tight.

Looking forward to seeing you there!

by
Angel Oberoi
Angel@cenzic.com

What's New | Cenzic Security Blog

Cenzic Detects an Apache Denial of Service Vulnerability

See Also

Dan Shoemaker Featured on Application Security MythBusters Series

See Also

Cenzic Detects a PHP Validation Restriction-Bypass Vulnerability

See Also

Cenzic Hailstorm 6.5 Release

See Also

Web Application Security Trends Report

See Also

RSA Conference 2010 Reception

See Also

Cenzic Detects a Sun Java System App Server HTTP TRACE Information Disclosure Vulnerability

See Also

Cenzic Detects a Sun Java System Web Server Denial Of Service Vulnerability

See Also

OWASP Feb 25 Meeting: SAP, Fujitsu, PARC, Stanford, Berkeley Presenting

Cenzic Detects an IBM WAS Security Bypass Vulnerability

See Also

Web Vulnerability Scanner Comparison

See Also

ISC2 Security Leadership Event

See Also

Cyber Security Predictions for the Next Decade

See Also

Cenzic Detects an Apache Integer Overflow Vulnerability

See Also

SANS Application Security 2010 Conference

See Also