Web Application Security Newsletter -
January 2008
Editors Note- As we welcome 2008, we hope this will be a year for action. Action to start doing more testing of Web applications for security. Action to educate our employees on the importance of application security. Action to test Web applications for security early in the software development lifecycle (SDLC). Action to test ALL our Web applications, including the ones already deployed in production. While we continue to see more and more attacks at the Web application layer, it's heartening to see more and more organizations starting to take the initiative to secure their Web applications. Payment Card Industry (PCI), California AB1950 and other regulations are clearly playing a major role in driving the impetus on this front. We are also seeing companies starting to perform security testing of their production (already deployed) applications, which typically constitute 90% of their total portfolio of applications. To facilitate this, Cenzic announced a major integration with VMWare products last month that will allow companies to seamlessly test their productions apps through virtualization without corrupting them. There are a couple of interesting reports on testing production applications in this newsletter that we hope you'll enjoy. I wish you a great 2008 and look forward to working with many of you in helping you and others protect their Web applications from the bad guys!
1. Web 2.0: next-generation web threats
Enterprises are rapidly moving to embrace the interactive capabilities of Web 2.0 technologies. Online communities, blogs, and wikis are of particular interest to companies as a means to collaborate, promote products, and share knowledge. Companies are advised, however, to be keenly aware of the new security challenges that Web 2.0 technologies present, from both technical and commercial perspectives. Many of the challenges center around the programming language AJAX, which exposes more business logic on the browser client side. AJAX is also prone to coding errors, which can lead to cross-site scripting attacks. Indeed the very nature of Web 2.0 can provide rich hunting grounds for attackers.
Read
More
2. Top 10 access-related controls for PCI compliance
In a recent presentation at Oracle OpenWorld, Viresh Garg of Oracle’s enterprise manager team examined the critical technologies and access-related policies and procedures outlined in PCI. Viresh looks at the standard as a template for understanding who has access and authority to do what on your systems. Ensuring continuous monitoring, identifying, reporting, investigating audit trails, and conducting risk analytics are all part of the process involved in protecting critical data.
Read
More
3. Internet Explorer Problems Explode
What's up with Internet Explorer these days? Cenzic recently announced a new vulnerability related to IE caching that can allow hackers to break into Google Gmail via the Web browser. According to Cenzic Intelligent Analysis Lab researchers, the improper use of caching directives in IE, combined with incorrect access checks on cached browser files, could lead to such files “being maliciously modified to create a cross-site scripting vulnerability.” The vulnerability also exposes Gmail account sign-ons, giving hackers an entry point into a system. Cenzic alerted both Google and Microsoft as well as Homeland Security’s Computer Emergency Response Team (CERT).
Read
More
4. Google researcher calls for Flash flush
A researcher is warning about a bug in SWF files created by most of the common programs that generate Flash applets used in Web site animation. Vulnerable content opens websites up to cross-site scripting exploits and can be used to steal account details or perform withdrawals. The buggy Flash files are known to be contained on many thousands of websites, including those of banks, government agencies, and major corporations.
Read
More
5. Cenzic Announces Hailstorm and Attune Enhances Partner Program
Cenzic recently announced that its Hailstorm solution has now been integrated with VMware Lab Manager and VMware VirtualCenter. Additional features include major enhancements to compliance reporting and to the Risk Management Dashboard, which enables users to sort and score vulnerabilities so users can easily see which pose the greatest risk. The new release offers many new features that enhance the user experience and tighten integration with other application security solutions. Cenzic is the first company to allow automated security assessment of Web applications in production through virtualization. To find out more, listen to this recent InfoWorld Podcast.
Read
More
6. TJX, banks reach settlement in data breach
TJX Cos. and New England banks have agreed to settle a high-profile lawsuit over payment card security practices following a record-setting data breach that compromised up to 100 million accounts. TJX will pay banks and trade groups in Massachusetts, Connecticut, and Maine a portion of their legal expenses. The settlement amount is meant to cover previous settlements with Visa International Inc. for up to $40.9 million in costs. TJX discovered illicit software on its system in 2006. Subsequently Canadian privacy officials tied the intrusion to a weakness in the company’s wireless security systems as far back as 2005. To date, no one individual has been charged with the intrusion.
Read
More
|
