Web Application Security Newsletter - July 2006
A MESSAGE FROM THE EDITOR - How much is security really worth? Well, let Charles Kolodgy of IDC tell you his opinion on how much he thinks security is worth by viewing our archived web broadcast just completed on July 11th. As Charles points out, securing your network just isn't enough. These days, more and more intrusions and data thefts are taking place through the path of least resistance via web front-ends. Some might suggest that simply putting your web application behind a firewall will ensure security, but how practical is that from a business perspective? Companies doing business on the internet must make certain data/applications available by keep ports 80 and 443 open. Knowing this, Hackers don't need to become more sophisticated since their avenues of intrusion are merely changing, not becoming more challenging. Shoring up these open paths as part of the Software Development Life Cycle is imperative. Although, there are a several options regarding how one might achieve this goal, many suffer from a huge number of false positives, longer timelines, or high costs. The key here is that picking the wrong product, service or methodology, or simply not doing anything can have significant impact on a company's bottom line. The easiest way to jump start the process is with a software as a service which doesn't require hardware, software, or internal expertise.
Also, stay tuned for archive information on "Best Practices for Zero Impact Security Testing" with Lindsey Vereen of ST&P and our own Ambarish Malpani.
Cenzic Inc. presents free Hackinars™ - Hack Attacks! An Insider's View. Experience live web application attack simulations of actual attacks, giving attendees an inside look at the way applications are penetrated in the real world. For more information or to register please visit our website: http://www.cenzic.com/news_events/events.php.
1. Credit card security rules to get update
New rules reflect rising incidence of application-level attacks
New PCI rules respond to the increasing incidence of application-level attacks while allowing merchants alternatives to data encryption. The proposed update will require, by mid-2008, that merchants scan payment software for vulnerabilities. Current PCI rules only require validation of a secure network. Critics believe that relaxing encryption requirements might hurt consumer data security. Retailers who are not in compliance with the PCI standard face possible penalties, including fines.
Read
More
2. SSL-enabled Web sites do not protect applications
Web server applications must be secure
While SSL provides protection for users against attacks such as phishing, Web server applications are still vulnerable. Although SSL plays a critical role in protecting data in transit to the server, measures should be taken to secure the Web server. An SSL-enabled Web site does not protect the server from attacks such as cross-site scripting, SQL injection, and buffer overflows. Good patch management and secure coding techniques are critical.
Read
More
3. Oracle exec hits out at 'patch' mentality
Unreliable software: "a national security issue"
Speaking at the WWW2006 conference, Oracle's CSO blasts the software industry, saying that it is so plagued with buggy products that "you wouldn't get on a plane built by software developers." Davidson faults the industry's lack of training in the areas of safety, security, and reliability and a culture of "patch, patch, patch," at a cost to businesses of $59 billion. At a tipping point, the business of software has become a national security issue with the possibility of regulation.
Read
More
4. Keep your Web applications secure
Web-based applications: a portal of choice for mischief
Web application security is often overlooked even though companies take other precautions such as scanning their systems for vulnerabilities. When relying solely on system security analysis of the Web platform, Web server applications can still be vulnerable to a variety of attacks. If not secured, Web-based applications provide opportunity for illegal entrance to an organization's network. Be aware of the top three Web application security flaws. Learn about how these attacks occur and how you can strengthen your network security armor to prevent potentially harmful intrusions.
Read
More
5. Preventing blind SQL injection attacks
Five best practices to lessen vulnerability
Although most security professionals are familiar with SQL injection attacks, they might be unaware that the usual preventative measures still leave their applications vulnerable to blind SQL injection attacks. The distinction between these two types of attacks is discussed and why the suppression of error messages is ineffective. There are five measures you can use to protect your organization's applications against both kinds of attacks.
Read
More
6. Don't Just Meet the Minimum Security Standards. Create New and Better Practices!
Hands-on training can provide a path to more secure code
Although developers are an integral part of a company's security system, many still lack education about information security attacks, such as what they are, how they occur, and how to prevent them. Organizations are urged to move beyond meeting current standards and best practices by providing hands-on training in attacking applications. Through direct experience developers can begin integrating defense mechanisms into their code. A hands-on approach can be critical to eventually making all code more secure.
Read
More
|
