What's New | Cenzic Security Blog

OWASP Security Spending Report

Thu, 02 Jul 2009 20:05:39 -0400

Read the March 2009 OWASP Security Spending Report

If case you haven’t had a chance to read OWASP’s latest security spending report, I suggest you take a peek over the long holiday weekend.

Key findings of this study are:

Organizations that have suffered a public data breach spend more on security in the development process than those that have not.
Web application security spending is expected to either stay flat or increase in nearly two thirds of companies.
Half of respondents consider security experience important when hiring developers, and a majority provide their developers with security training.
At least 61% of respondents perform an independent third party security review before deploying a Web application while 17% do not (the remainder do not know or do so when requested by customers).

by
Erin Swanson
Eswanson@cenzic.com

SaaS Web Vulnerability Scanning

Thu, 02 Jul 2009 19:48:38 -0400

Read what's new in the 6.0 launch of our SaaS Web vulnerability scanning product – Cenzic ClickToSecure

If you are looking for a Web vulnerability scanning product – either software or SaaS – you should check out Cenzic. We just launched our 6.0 release of both products – Cenzic Hailstorm (software) and Cenzic ClickToSecure (SaaS).

Read what’s new in our SaaS product here. Some feature highlights include:

Pages Visited – Monitors URL Requests during & after Assessment runs
Web Application Firewall (Imperva/SecureSphere) integration
Ability to request Assessments in multiple ways
Ability to run and schedule self Assessments
Improved Web 2.0 support, specifically for Flash and AJAX based Web applications

by
Erin Swanson, Marketing
Eswanson@cenzic.com

What’s New in Our Web Application Security Product, Cenzic Hailstorm 6.0

Tue, 30 Jun 2009 19:31:44 -0400

Read what’s new in our Web application security software products – Cenzic Hailstorm Enterprise ARC and Professional 6.0

Just in case you wanted to read the feature / benefit details about our latest Web application security software release, here’s some information. It will be posted to our Website shortly, and as a customer, you’ll get a hard copy of it in the mail.

It’s been two weeks since our launch and we’ve received nothing but positive praise from our users – so if you haven’t upgraded yet, do so before the July 4th weekend.

by
Erin Swanson, Marketing
Eswanson@cenzic.com

Defining and Detecting HTTP Parameter Pollution

Tue, 30 Jun 2009 11:25:52 -0400

Learn more about HTTP Parameter Pollution and find out ways to detect this latest attack

There’s been a lot chat on Twitter recently about HTTP Parameter Pollution, so I wanted to describe the vulnerability in more detail and how Cenzic can detect it in its latest SmartAttack release.

What is HTTP Parameter Pollution?
An HTTP Parameter Pollution is where an attacker can submit additional parameters to a Web application -- and if these parameters have the same name as an existing parameter -- the Web application may react in one of the following ways -

It may only take the data from the first parameter
It may take the data from the last parameter
It may take the data from all parameters and concatenate them together

Such results enable the attackers to distribute attack payloads across multiple parameters to evade signature-based filters. For more details about the attack, visit this blog post and/or read this recent PowerPoint presentation delivered at an OWASP European meeting.

How to Detect an HTTP Parameter Pollution Vulnerability:
The latest Cenzic SmartAttack walks the traversal and identifies HTTP requests that are candidates for fault injection. For each candidate request, the SmartAttack sends a series of pairs of injected requests with each parameter repeated once with its original value and once with an incorrect value.

If the application gives different responses for the original and the injected injection request, it ensures that the application is blindly looking at the last occurrence of the parameter and the SmartAttack generates a Failure.

by
Erin Swanson
ESwanson@cenzic.com

Cenzic Issues New SmartAttack in 6.0 Release: HTTP Parameter Pollution Vulnerability

Fri, 26 Jun 2009 17:38:02 -0400

The HTTP Parameter Pollution Vulnerability is now detectable in Cenzic’s 6.0 release as a new SmartAttack category

As of June 26, 2009, Cenzic added its 101st SmartAttack to its latest 6.0 product suite: HTTP Parameter Pollution Vulnerability (version 1.0).

Published just a few days back, the HTTP Parameter Pollution Vulnerability is one of the newest ways hackers can exploit Web applications. It pinpoints the anomaly in handling multiple occurrences of the same parameter by various platforms. This vulnerability plays the role of the "enabler", which can be exploited by an attacker to further craft complex and destructive attacks. Due to the devastating nature of this attack, we created a new SmartAttack immediately to enable our customers to detect such vulnerabilities and avoid further attacks.

Web Server Vulnerabilities SmartAttack Update

In this week’s update, we’ve also enhanced our Web Server Vulnerabilities SmartAttack to it can detect the PHP 'exif_read_data()' JPEG Image Processing Denial Of Service Vulnerability (BugtraqID 35440). PHP is prone to a denial-of-service vulnerability in its 'exif_read_data()' function. Successful exploits may allow remote attackers to cause denial-of-service conditions in applications that use the vulnerable function.

Background on Cenzic’s SmartAttacks
Every week, Cenzic’s suite of products is updated with the latest vulnerabilities (custom, commercial, and open-source) to better detect "holes" in Web applications. These Web application vulnerabilities include (but not limited to) cross site scripting, buffer overflow, path or directory traversal, SQL injection, HTTP response splitting, and other workflow types.

by
Erin Swanson
Eswanson@cenzic.com

Black Hat 2009 – Learn the Latest Security Trends

Wed, 24 Jun 2009 17:38:34 -0400

The latest security trends will be highlighted at the Black Hat 2009 event in Vegas

It’s the time of year again to “get your geek on” as the Black Hat 2009 event is gearing up for another amazing display of the coolest security trends in hot Las Vegas, NV.

The conference is held at Caesar’s Palace and starts at 8 AM sharp on Wednesday, July 29 and ends on that Thursday afternoon (July 30).

Be sure to stop by Cenzic’s booth #17 to see our latest product suite release: 6.0.

by
Angel Oberoi
Angel@cenzic.com

Recording on Web Application Security – A Ticking Time Bomb!

Tue, 23 Jun 2009 19:38:45 -0400

Get recording and slides on 5 reasons why you need Web application security now

If you missed the live Forrester event on the 5 top reasons why you need Web application security now, then get the recording and the slides.

Just fill out our short Web registration form to learn:

Complexities around application security
Cost of not doing anything
Easier and cheaper solutions to secure your Web applications in this tough economy

Presenters:
Chenxi Wang, Senior Analyst at Forrester Research and
Mandeep Khera, CMO of Cenzic

by
Angel Oberoi
Angel@cenzic.com

PCI Blues - MasterCard Tightens PCI Compliance Requirements

Fri, 19 Jun 2009 20:23:13 -0400

Level 2 merchants are required to undergo on-site audits for PCI compliance

MasterCard issued new requirements for PCI compliance for Level 2 merchants -- they will soon be required to do an annual on-site audit. This used to be a requirement for Level 1 merchants only. Level 1 merchants are retailers doing more than 6 million credit card transactions a year where as Level 2 merchants do between 1 million and 6 million transactions. The requirements go into effect on December 31, 2010.

MasterCard's intentions are good, as they are trying to ensure retailers have better controls. However, I still believe that instead of creating more bureacracy and audits, we need to focus more on looking at the requirements of the PCI standard and clarifying what to do.

PCI Data Security Standard is a good thing and has raised awareness for security issues for the merchants. But most merchants, especially the smaller ones, are still confused on what to do.

Merchants who are attaining compliance out of fear are being lulled into a false sense of security by run-of-the-mill vendors who issue a certificate for a few hundred bucks. Here's my 5-step recommended plan for a better process on making sure that merchants get a tighter security for their infrastructure:

Education: Focus on educating merchants on different levels of security. Credit card companies should offer free Web seminars and courses to help merchants in basic security issues.
Clear rules: PCI concil should continue to work on clarifying the requirements and how to get compliant. The last version helped and hopefully we can keep simpifying the standard. For example, throwing an app firewall at the problem does not equal secure applications.
Subsidies: Credit card companies should provide subsidies for smaller merchants who can't afford to pay for security.
Focus on the Weakest link: With 80% of attacks happening through the Web applications, it's the weakest link. Yet, most of the focus of the standard is on network security.
Enforcement and positive reinforcement: With clear rules, subsidies, and education in place, there shouldn't be many excuses for merchants to not comply. Start enforcing by initial warning and then penalties. Give visibilty to the good merchants so they can increase their sales.

With over 250 million records stolen in 2008 alone, resulting in billions of dollars in losses, it's obvious that the current rules are not working. Something has to change. Period.

by
Mandeep Khera, CMO
Mandeep@cenzic.com

Cenzic Detects an Apache Tomcat XML Parser Information Disclosure Vulnerability

Fri, 19 Jun 2009 15:02:33 -0400

An Apache Tomcat XML Parser Information Disclosure Vulnerability is now detectable in the Cenzic Web Server SmartAttack

As of June 19, 2009, Cenzic can detect the Apache Tomcat XML Parser Information Disclosure Vulnerability (BugtraqID 35416). Apache Tomcat is prone to an Information Disclosure Vulnerability where attackers can exploit this issue to obtain sensitive information that may lead to further attacks.

by
Erin Swanson
Eswanson@cenzic.com

Cenzic Partner Brings Web Application Security to South Africa

Wed, 17 Jun 2009 20:07:26 -0400

CentricEdge introduces Cenzic’s Web application security products at South African event

Cenzic, in collaboration with its South African partner, CentricEdge, was a sponsor at this year’s ITWeb Annual Security Summit to educate audience members on Web application security.

The South African event highlighted tools, techniques, and strategies for organizations to adopt in order to better safeguard their information. Key themes at this year’s event included cybercrime, mobile security, security in the cloud, AV malware, threat modelling, the security development lifecycle, PCI compliance, Web security, virtualization and security, and vulnerability management.

We’d like to thank CenzicEdge for creating the tradeshow display containing Cenzic branding along with pitching our technology to a new audience. Their Website is under maintenance at the moment, but check back soon to learn more about this company: www.centricedge.co.za

by
Chris Carvacho, Sales Ops
CCarvacho@cenzic.com

Cenzic 6.0 Product Launch for Software & Cloud Computing Options

Tue, 16 Jun 2009 18:07:51 -0400

Cenzic announces the latest launch of its software and cloud computing products that protect Websites against hacker attacks

Today’s launch day here at Cenzic – we have the latest releases for both our software and cloud computing products that will help you better protect your Websites from hackers.

Cenzic's 6.0 Product Suite (Click-to-Secure, Hailstorm Enterprise ARC and Hailstorm Professional) now includes:

More self-service capabilities for SaaS customers
Significant enhancements to vulnerability findings in Web 2.0 technologies such as Ajax and Flash
Real-time monitoring of application assessments with actionable results
Integration with Imperva’s SecureSphere Web Application Firewall allowing for the export of assessment results
User interface and dashboard improvements for ease of use and manageability
Full support for CVE and CWE IDs maintained by MITRE
Increased scalability with parallel processing to allow for running multiple assessments
Improved spidering features to strengthen application coverage
Integration with IBM Rational ClearQuest

So take a test drive of our latest product suite today!

by
Erin Swanson, Marketing
Eswanson@cenzic.com

Cenzic Detects an Apache Tomcat Authentication Vulnerability

Fri, 12 Jun 2009 16:37:32 -0400

An Apache Tomcat Authentication Vulnerability is now detectable in the Cenzic Web Server SmartAttack

As of June 12, 2009, Cenzic can detect the Apache Tomcat Form Authentication Existing/Non-Existing Username Enumeration Weakness Vulnerability (BugtraqID 35196). Apache Tomcat is prone to a username-enumeration weakness because it displays different responses to login attempts, depending on whether or not the username exists. Attackers may exploit this weakness to discern valid usernames. This may aid them in brute-force password cracking or other attacks.

by
Erin Swanson
Eswanson@cenzic.com

Last Chance to Ask Forrester Analyst About Web Security

Thu, 11 Jun 2009 10:52:31 -0400

Attend today’s live Web seminar on Web Security and ask Forrester analyst questions

Well today’s the big day for our live Web seminar on Web security, presented by Forrester analyst Chenxi Wang. Be sure to attend so you can ask her questions about the specifics of why the need is stronger than ever to protect your data.

We look forward to you “seeing” you later today!

Forrester Webcast: 5 reasons why you need Web security now

For: Security professionals in charge of protecting Websites and ensuring regulatory compliance
Date: Thursday, June 11, 2009
Time: 11 am Pacific (2 pm Eastern)
Duration: 1 hour
Cost: Complimentary
Presenters:
Chenxi Wang, Senior Analyst at Forrester Research and
Mandeep Khera, CMO of Cenzic

by
Erin Swanson
Eswanson@cenzic.com

Cenzic Detects an Apache Tomcat Denial of Service Vulnerability

Fri, 05 Jun 2009 17:12:20 -0400

An Apache Tomcat Denial of Service Vulnerability is now detectable in the Cenzic Web Server SmartAttack

As of June 5, 2009, Cenzic can detect the Apache Tomcat Java AJP Connector Invalid Header Denial of Service Vulnerability (BugtraqID 35193). Apache Tomcat is prone to a denial-of-service vulnerability. Attackers can exploit this issue and cause the server to end up in an error state, denying service to legitimate users.

by
Erin Swanson
Eswanson@cenzic.com

SANSFire 2009: Learn Latest Web Security Trends

Thu, 04 Jun 2009 18:55:03 -0400

Attend the SANSFire 2009 event in Baltimore to learn the latest Web security trends

It’s that time of year again – June means you’ve got to attend the 2009 SANSFire event to learn the latest trends in Web security. If you’re in Baltimore, be sure to stop by the Cenzic booth #14, as we’ll be giving away $50 AmEx gift cards, free Web security scans of your Website (up to 50 pages), and iTunes music.

Oh, and we’re also sponsoring a lunch and learn – eat while learning about the latest hacking techniques.

Event Details
SANSFire 2009, June 16-17, 2009
http://www.sans.org/sansfire09/event.php

Venue
Hilton Baltimore
401 West Pratt Street
Baltimore, MD 21201 US
Phone: 443-573-8700

Vendor Expo
Cenzic will be at Booth # 14
Tuesday, June 16: 12:00pm - 1:30pm and
5:00pm - 7:30pm
Wednesday, June 17: 7:00am - 8:30am * NEW TIME!

Cenzic Lunch & Learn
12:30-1:15 pm on June 17 at Room Billie Holiday 5
Hacking 101: How Hackers Attack your Website and the Common Mistakes to Avoid

What are some of the latest attacks Hackers use to exploit Websites? With 400 new Web vulnerabilities a month (and growing) - you need to keep ahead of the hacker curve and address these attacks and security concerns head-on!

Attend this interactive Cenzic Lunch & Learn demo to see examples of some of the most complicated Web application attacks used by hackers, and learn the ways you can prevent hacker attacks.

by
Angel Oberoi
Angel@cenzic.com

What's New | Cenzic Security Blog

OWASP Security Spending Report

See Also

SaaS Web Vulnerability Scanning

See Also

What’s New in Our Web Application Security Product, Cenzic Hailstorm 6.0

See Also

Defining and Detecting HTTP Parameter Pollution

See Also

Cenzic Issues New SmartAttack in 6.0 Release: HTTP Parameter Pollution Vulnerability

See Also

Black Hat 2009 – Learn the Latest Security Trends

See Also

Recording on Web Application Security – A Ticking Time Bomb!

See Also

PCI Blues - MasterCard Tightens PCI Compliance Requirements

Cenzic Detects an Apache Tomcat XML Parser Information Disclosure Vulnerability

See Also

Cenzic Partner Brings Web Application Security to South Africa

See Also

Cenzic 6.0 Product Launch for Software & Cloud Computing Options

See Also

Cenzic Detects an Apache Tomcat Authentication Vulnerability

See Also

Last Chance to Ask Forrester Analyst About Web Security

See Also

Cenzic Detects an Apache Tomcat Denial of Service Vulnerability

See Also

SANSFire 2009: Learn Latest Web Security Trends

See Also