Web Applications / Services Security, Vulnerability Scanning, Enterprise Security Software: Cenzic

- Top Vulnerabilities

- Trends Reports

- Alerts

- Disclosure Guidelines

- SmartAttack™ Library Updates

- Cenzic Newsletter

2005
March \| May
2006
June \| July \| August \| September \| October \| November \| December
2007
January \| February \| March \| April \| May \| June \| July \| August \| September \| October \| November \| December
2008
January \| February \| March

Web Application Security Newsletter -
December 2007

Editorial Comments:- We wind up the year with SANs Top 20 Security Risks Update. A takeaway from this year’s report might be summarized best by stating that all things Internet are fair game for the bad guy hackers. According to one writer, “it’s enough to make you want to pull your Ethernet cord out. Is anything out there secure?” Application flaws top the list along with one of the most critical vulnerabilities to security: the gullible, busy computer user who falls prey to phishing attempts, browses malicious web sites, and follows false instructions that can end up emptying one’s bank account or the bank account of one’s employer. On another note, Yahoo! Architect Douglas Crockford asks the question, “Can we Fix the Web?” He announces plans to address just this question at the upcoming AJAXWorld 2008 East conference in March 2008 to be held in New York City. He states, “The Web is no longer a driver of innovation. It is now a serious impediment.” Although his goal is nothing less than lofty, not only does he believe the Web can be fixed–he intends to explain how. From all of us at Cenzic, Happy Holidays and best wishes for a safe and secure 2008!

1. Cenzic becomes the First Company to allow automated security assessment of Web applications in production through virtualization

Cenzic makes strategic push into the virtualization arena
Cenzic announced that it will integrate its flagship product line, Cenzic Hailstorm Enterprise ARC with VMware’s VMWare Lab Manager and VMware Virtual Center. Customers can now continuously test production applications without the risk of compromising the environment. “One of the biggest challenges in securing Web applications is how to test the applications in an environment that is identical to that of the live application without risking data corruption,” said Systems Architect Andrew Wing, of Teranet. “The concept of virtual testing brings a lot of benefit and a sense of safety.” Additionally, Cenzic has joined the VMware Technology Alliance Partner (TAP) program in its efforts to deliver virtual solutions for better testing deployed Web applications. Read more...

2. Frankly Speaking: Security is a business problem

Security should be viewed as a business enabler
The crooks are as prolific as ever, running automatic attack programs against vulnerable applications. However, a growing challenge is that of the gullible user and the bad guys that prey on them. Indeed the bad guys are increasingly targeting specific users in hopes of emptying their bank accounts or perhaps the accounts of their employers. According to Hayes, it’s positive that SANS recognizes security as a people problem. Their recommendations, however, Hayes calls “a classic security response.” So what’s wrong with staging phishing attacks against our users and cutting off users who fail the test? Hayes instead advocates for building cooperation amongst all levels of the enterprise rather than running the risk of alienating users–those you need the most. Read about his perspective on building a case for security as a business enabler rather than as merely a cost to the enterprise.

3. Douglas Crockford To Ask at AJAX World: "Can We Fix the Web?"

Yahoo! Architect plans to present specifics at upcoming AJAXWorld 2008 East
“The Web is no longer a driver of innovation. It is now a serious impediment.” Douglas Crockford points out that standards that define the Web were last revised in 1999. What was once a document retrieval system is now an application delivery system, and according to Crockford, it has reached its very limits. Stay tuned for his March keynote in which he plans to offer specifics on next steps for how the Web can be fixed to meet emerging needs of this century. He asks, “Can a system as large and as open as the web heal and adapt itself to the challenges of the 21st Century?” He believes the answer is a resounding “yes!”

4. Client, Application Flaws Top SANS Vulnerability List

Explosive growth of client side vulnerabilities is seen
Desktop users who browse the Web without proper controls are becoming a major security risk. Also, gullible, busy users can be especially prone to falling prey to phishing and other scams. SANs again placed MS Windows vulnerabilities among the most serious; however, home-grown applications present the greatest threat. The latest SANs Top 20 also emphasized the need for Programmers to recognize security holes in their applications and to make use of Web application security scanners that can proactively identify problems.

5. SANS Institute paints gloomy security picture

Is it time yet to pull your Ethernet cord out
From third-party plug-ins to browsers, Web-based applications to anti-virus software, SANs latest Top 20 update paints a bleak picture indeed of the state of Internet security. Per SANs, the number of attempted attacks for some large web hosting farms ranges from a staggering hundreds of thousands to millions each day. Every week hundreds of vulnerabilities and exploits are reported in commercially available and open source web applications. Not even backup software is exempt from foul play. And, yes, even anti-virus software makes for an attractive target.


>	Datasheet: Hailstorm Enterprise ARC
>	Datasheet: Hailstorm Pro
>	Datasheet: Hailstorm Starter
>	Datasheet: Hailstorm Core
>	White Paper: Beyond Simple Vulnerabilities Scanning
>	White Paper: Cross Frame Scripting
>	White Paper: Cenzic Imperative Assessment Plan
>	White Paper: Enabling Security in the Software Development Lifecycle (PDF)