What's New | Cenzic Security Blog

ISC2 Security Leadership Event

Mon, 08 Feb 2010 16:46:46 -0500

Attend the ISC2 Security Leadership event tomorrow in San Jose, CA

If you happen to be in the heart of Silicon Valley on February 9, 2010, then attend the ISC2 Security Leadership event at the Double Tree Hotel in San Jose, CA.

The all-day event (9-5 pm) will focus on how to measure your security success (or failure), so be prepared to hear ways you can explore methods for determining how well you’re managing the limited labor, capital, and technology resources.

Event Details:

ISC2 Security Leadership Seminar

Title: Fact not FUD: Managing What You Can Measure
Date: Tuesday, February 9, 2010
Time: 9 – 5 PM
Location: Double Tree Hotel in San Jose, CA

See you there tomorrow!

by
Angel Oberoi, Marketing
Angel@cenzic.com

Cyber Security Predictions for the Next Decade

Mon, 08 Feb 2010 16:28:22 -0500

Top 5 cyber security predictions for the upcoming decade

Enterprise Systems Magazine just published my top 5 cyber security predictions for the upcoming decade and I wanted to share them with you. I hope you enjoy them … and please send any comments my way as well.

Top 5 Cyber Security Predictions for the next 10 years:

Despite government efforts, cyber war will be more common with more severe Web application attacks. We’ve been predicting cyber wars for a couple of years and have started to see significant incidents in 2009. In addition, hackers will target telecommunications and utility infrastructures of key nations.
Social network sites like Facebook and Twitter will continue to be targeted for attacks due to their popularity and usage. Game changing social networking apps will emerge each with a unique set of security challenges. Social networking will become even more prevalent as hackers go after these user bases looking for personal financial information to enable them to siphon money from bank accounts and credit cards. Data from social networks will also give rise to increased identity theft as hackers sort through social networks to gather clues to unlock passwords and steal identities.
The rise in Smartphone use, particularly the popularity of specific phones (i.e. the iPhone), begets an escalation in mobile app use as more and more people use phone apps to enhance both their business and personal worlds. These downloadable apps will increasingly become a target for hackers who see millions of potential targets, most of which use a Web infrastructure for hackers to exploit.
Cloud computing will become more prevalent as organizations try to optimize their infrastructure to streamline costs. However, inherent security risks are synonymous with Cloud computing, as hackers will target Cloud providers.
The collective security consciousness will be raised. Businesses large and small will adopt technologies to secure their Websites, regulations will be developed, and fines increased. Universities will make security, especially application security, a mandatory requirement for all development courses and there will be more regulations around cyber security including increases in fines to companies found negligent along with more severe criminal punishment for hackers. Yet, hackers will also become more organized and sophisticated.

by
Mandeep Khera, CMO
Mandeep@cenzic.com

Cenzic Detects an Apache Integer Overflow Vulnerability

Fri, 05 Feb 2010 15:49:36 -0500

Weekly product update – Cenzic detects an Apache Integer Overflow Vulnerability

As of February 5, 2010 Cenzic now detects an Apache 1.3 mod_proxy HTTP Chunked Encoding Integer Overflow Vulnerability (BugtraqID 37966). An attacker can exploit the Apache remote integer overflow vulnerability and execute arbitrary code. Successful exploits will compromise affected computers. Failed exploit attempts will result in a denial-of-service condition. Note that this issue affects platforms on which 'sizeof(int)' is less than 'sizeof(long)'. In particular, this occurs on some 64-bit architectures. Versions prior to Apache 1.3.42 are vulnerable.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to better detect "holes" in Web applications. These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
Eswanson@cenzic.com

SANS Application Security 2010 Conference

Wed, 03 Feb 2010 18:16:18 -0500

We hope to see you at the SANS Application Security 2010 Conference in San Francisco

I just got back from the cocktail reception that kicked off the SANS Application Security Conference held at the Sheraton Fisherman’s Wharf Hotel in San Francisco this year.

So stop tomorrow (Feb 4) for a free lunch at 12:30 PM in the President’s Ballroom and hear our esteemed CTO, Lars Ewe, present on “AJAX: The Truth Behind the Hype”. Lars is also a panelist in the SANS vendor tools shootout (along with IBM and Vericode) at 4:30 PM.

Some of the things you’ll learn at the SANS Application Security Conference include:

The essentials of a comprehensive Web site security program and how to secure a Website
The most current information on Web hacking techniques and how to guard against these prevalent Web vulnerabilities
Unique procurement practices that will help manage application security outsourcing and improve application security
The confessions of a professional Web application hacker
What your peers are doing to secure their Web applications and Web application best practices
What tools are available and how do they compare? Which tools should you have in your security toolbox to ensure your applications are locked up tight.

Looking forward to seeing you there!

by
Angel Oberoi
Angel@cenzic.com

2010 Cyber Security Expo

Tue, 02 Feb 2010 21:07:58 -0500

Attend the 2010 Cyber Security in Washington DC today and tomorrow

February 2-3, 2010 marks the annual Cyber Security Expo in Washington DC this week. So if you’re in town, stop by the Cenzic booth #52 and attend the show to learn about cyber security threats / vulnerabilities and defensive capabilities available. The event is located at the Ronald Reagan Building & International Trade Center.

by
Angel Oberoi
Angel@cenzic.com

Cenzic Detects 3 Apache Tomcat Vulnerabilities

Fri, 29 Jan 2010 14:38:01 -0500

Weekly product update – Cenzic detects 3 Apache Tomcat Vulnerabilities

As of January 29, 2010 Cenzic now detects 3 Apache Tomcat vulnerabilities in its product suite. All of the vulnerabilities affect the following Apache versions:

Tomcat 5.5.0 through 5.5.28
Tomcat 6.0.0 through 6.0.20

Apache Tomcat Directory Host Appbase Authentication Bypass Vulnerability (BugtraqID 37942)
Apache Tomcat is prone to an authentication-bypass vulnerability. An attacker can gain unauthorized access to files and directories. Successful exploits may lead to other attacks.
Apache Tomcat WAR File Directory Traversal Vulnerability (BugtraqID 37944)
Apache Tomcat is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploiting this issue allows attackers to delete or overwrite arbitrary files within the context of the webserver.
Apache Tomcat Host Working Directory WAR File Directory Traversal Vulnerability (BugtraqID 37945),
Apache Tomcat is prone to a directory-traversal vulnerability because the application fails to sufficiently sanitize user-supplied input. Exploiting this issue allows attackers to delete arbitrary files within the context of the current working directory.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to better detect "holes" in Web applications. These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
Eswanson@cenzic.com

OWASP, Risk, & the Adult Film Industry

Fri, 29 Jan 2010 13:26:36 -0500

What do the OWASP Bay Area chapter, risk, and the adult film industry have in common?

You don’t know what these 3 things have in common? Are you serious? Where do I start? Long story short, I was looking for a funny way to introduce my presentation on application security risk at the Bay Area OWASP event a couple of weeks ago. After all it was late in the evening and I was seriously concerned that folks might fall asleep on me. Never a very encouraging thing when you present. In any event, after talking to some colleagues of mine prior to my presentation a great idea occurred to me (or so I thought at the time).

So I informed the audience that I just returned from Cenzic’s 2010 sales kick off meeting at the Venetian Hotel in Las Vegas, NV which happened to coincide with the Adult Film Industry Conference. And all that visual stimulation gave me the idea to create my presentation slides on risk and how to “measure” risk (get it?) and how Cenzic arrived at our HARM score (Hailstorm Application Risk Metric).

OK – I’m the first one to admit, it was sort of cheesy. But I was hoping they’d humor me with a few grunts of laughter instead of snoring. All I got was crickets. Then one hand rose out of the crowd and asked, “Were you in Vegas during the Consumer Electronics Show?” Hmm, so I guess the audience was way more easy than I had thought they’d be. No need to talk about what’s new in the adult film industry, just a good discussion around web application risk management. So my presentation wasn’t boring after all. Glad I had such an easy audience. ;-) And I’m happy to say that I didn’t notice anybody snoring…

In any event, if you’d like a copy of my slides on how Cenzic quantifies risk analysis in Web applications, contact marketing for the PDF file (eswanson@cenzic.com).

by
Lars Ewe, CTO
Lars@cenzic.com

Adam Meyers, Sr Cyber Security Engineer at SRA International Featured on Application Security MythBusters Series

Thu, 28 Jan 2010 21:18:38 -0500

Podcast on application security MythBusters featuring Adam Meyers

As part of its Application Security MythBusters series, Cenzic interviewed Adam Meyers, a security expert from SRA International.

When Cenzic’s Chief Marketing Officer, Mandeep Khera, asks Adam about his general observation of the state of Web application security, he believes that awareness is improving, but gaps still exist.

He agrees that all the following are the big myths in Web application security, including:

SSL is the "end all / be all" protection against hacker attacks
PCI Compliance is just a check box
You're safe if your company has never been hacked
Application security is costly and extremely hard to implement

Listen to the full 7.5 minute podcast today!

If you have any other questions or topic suggestions about the latest myths out there, send an email to: MythBusters@cenzic.com

by
Erin Swanson, Marketing
Eswanson@cenzic.com

Web Application Security Press for Cenzic

Thu, 28 Jan 2010 14:37:58 -0500

Cenzic had a busy week in the press with lots of Web application security news

Cenzic issued 3 press releases this week, all focused on Web application security and celebrating today’s Data Privacy Day.

Monday featured our “Perfect Storm” story on how cyber attacks will significantly increase due to the number of new applications using Web 2.0 technologies and vulnerabilities.

Cenzic announced on Tuesday that we’d scan any charitable Website collecting funds for Haiti relief, extending our “No Website Left Behind” program.

And finally, as a way to celebrate today’s Data Privacy Day, we are offering a free Website “HealthCheck” to any company who wants to test their security posture.

Here’s a summary of the releases – we hope you take advantage of our offers soon.

January 27, 2010
Cenzic Offers Free Website "HealthCheck" In Support of Data Privacy Day
January 26, 2010
Cenzic Extends "No Website Left Behind" Program to Include Any Charitable Site Collecting Funds for Haiti Relief
January 25, 2010
"Perfect Storm" Forming for Cyberattacks in the Next Decade

by
Erin Swanson
Eswanson@cenzic.com

Cost of a Data Breach: 2010 Ponemon Report

Tue, 26 Jan 2010 21:50:22 -0500

Download 2010 Ponemon report on the latest cost of a data breach

The 2010 Ponemon Report was issued yesterday on the cost of a data breach and guess what … that number just got larger: from $6.6 million to $6.75 million.

For the entire 2009 year, malicious criminal attacks have doubled and the average cost of a data breach has increased from $202 to $204 per compromised record.

Download the 37 page PDF report today and read all the dirty details yourself.

by
Erin Swanson
Eswanson@cenzic.com

Cenzic Detects a Java System Web Server Remote Code Execution Vulnerability

Fri, 22 Jan 2010 14:20:29 -0500

Weekly product update – Cenzic detects a Java System Web Server Remote Code Execution Vulnerability

As of January 22, 2010 Cenzic now detects a Java System Web Server Remote Code Execution Vulnerability (BugtraqID 37641). Sun Java System Web Server is prone to a remote code execution vulnerability. Attackers can exploit this issue to execute code within the context of the affected application. Sun Java System Web Server 7.0 Update 6 is vulnerable, however other versions may also be affected.

by
Erin Swanson
Eswanson@cenzic.com

RSA 2010: Web Security Coming Early

Fri, 22 Jan 2010 13:06:55 -0500

Attend the annual RSA 2010 event to learn the latest in Web security

Occurring earlier than usual in the year, the RSA 2010 event commences on March 1-5, 2010 at the Moscone Center in San Francisco.

Drop by the Cenzic booth (#2624) for some literature, product demonstrations, and great conversation regarding Web security.

by
Angel Oberoi, Marketing
Angel@cenzic.com

Rob Pate, CISO of Renesys Featured on Application Security MythBusters Series

Tue, 19 Jan 2010 18:48:05 -0500

Podcast on application security MythBusters featuring Rob Pate

As part of its Application Security MythBusters series, Cenzic interviewed Rob Tate, the CISO at Renesys.

When Cenzic’s Chief Marketing Officer, Mandeep Khera, asks Rob about his general observation about the state of Web application security, he answers “poor”.

Mr. Pate claims that poorly designed applications in the market space have led to a spike in data breaches. Despite the industry moving in the right direction in terms of improved processes, there isn't much light at the end of the tunnel.

In order for middle managers to convice upper management to provide adequate budget for Web application security, Mr. Pate suggests three things:

Education – everyone who has a vested interest in security needs to be properly educated about the risks inherent to Website security
Metrics – middle management must have a way to measure progress towards a security goal
ROI – once metrics are in place, an ROI is far easier to establish, or at the very least, a decent case can be made for such investment dollars.

Listen to the full 8 minute podcast today!

If you have any other questions or topic suggestions about the latest myths out there, send an email to: MythBusters@cenzic.com

by
Erin Swanson, Marketing
Eswanson@cenzic.com

Web Seminar: Practical Web Application Pen Testing Kung Fu

Mon, 18 Jan 2010 18:49:13 -0500

Attend this Web seminar hosted by PaulDotCom on Practical Web Application Pen Testing Kung Fu

If you are a Web application tech geek, then you’ve got attend this live Web Seminar on Pen Testing Kung Fu presented by PaulDotCom.

In this event, John & Paul will help you perform more successful web application penetration testing. You’ll learn how to balance automated tools with manual testing, strike vulnerabilities with the highest chance of exploitation, and more! Our own CTO and VP of Engineering, Lars Ewe, will also be a featured speaker.

So please attend!

Date:
Tuesday, January 26, 2010

Time:
2:00 - 3:00 PM EST

by
Erin Swanson
Eswanson@cenzic.com

Cenzic Detects a Java System Information Disclosure Vulnerability

Fri, 15 Jan 2010 17:33:35 -0500

Weekly product update – Cenzic detects a Java System Information Disclosure Vulnerability

As of January 15, 2010 Cenzic now detects a Sun Java System Web Server Information Disclosure Vulnerability (BugtraqID 37648). The Sun Java System Web Server is prone to a remote information-disclosure vulnerability. Attackers can exploit this issue to obtain potentially sensitive information that may aid in further attacks. Sun Java System Web Server 7.0U6 is vulnerable, however other versions may also be affected.

by
Erin Swanson
Eswanson@cenzic.com

What's New | Cenzic Security Blog

ISC2 Security Leadership Event

See Also

Cyber Security Predictions for the Next Decade

See Also

Cenzic Detects an Apache Integer Overflow Vulnerability

See Also

SANS Application Security 2010 Conference

See Also

2010 Cyber Security Expo

See Also

Cenzic Detects 3 Apache Tomcat Vulnerabilities

See Also

OWASP, Risk, & the Adult Film Industry

Adam Meyers, Sr Cyber Security Engineer at SRA International Featured on Application Security MythBusters Series

See Also

Web Application Security Press for Cenzic

See Also

Cost of a Data Breach: 2010 Ponemon Report

See Also

Cenzic Detects a Java System Web Server Remote Code Execution Vulnerability

See Also

RSA 2010: Web Security Coming Early

See Also

Rob Pate, CISO of Renesys Featured on Application Security MythBusters Series

See Also

Web Seminar: Practical Web Application Pen Testing Kung Fu

See Also

Cenzic Detects a Java System Information Disclosure Vulnerability

See Also