Web Applications / Services Security, Vulnerability Scanning, Enterprise Security Software: Cenzic

- Top Vulnerabilities

- Trends Reports

- Alerts

- Disclosure Guidelines

- SmartAttack™ Library Updates

- Cenzic Newsletter

2005
March \| May
2006
June \| July \| August \| September \| October \| November \| December
2007
January \| February \| March \| April \| May \| June \| July \| August \| September \| October \| November \| December
2008
January \| February \| March

Web Application Security Newsletter -
June 2007

A MESSAGE FROM THE EDITOR- As companies rush to embrace Web 2.0 technologies, they would be wise to heed by the warning that careful planning is critical. Experts warn that the open characteristic of Web 2.0 user communities and user generated content must be balanced against proper controls and security measures. One need only look at two of the most widely popular social networking sites of today to see that Web 2.0 waters can be murky at best and shark infested at worst. According to Cenzic's recent study, the web application landscape is still fraught with the danger of widespread identity theft and fraud. Financial firms especially must bolster their web applications. We have found that it does not take a pro to hack like a pro. Many web application vulnerabilities are easily exploitable. The TJX companies data breach story teaches a hard lesson. Security breaches are a much less costly investment before they happen than after an incident occurs. There's an old proverb that an ounce of prevention is worth a pound of cure.

1. XSS leads OWASP's Top 10 for 2007

Industry has seen only the tip of the iceberg
"It's hard to get them all out," says OWASP chair Jeff Williams, likening cross-site scripting (XSS) to an infestation of termites silently eating away at your house. The industry has only seen the tip of the iceberg when it comes to these pesky exploits. OWASP urges companies to build frameworks and patterns to guard against cross-site scripting and the other top web application vulnerabilities on its current list. Trivial to fix in development, cross-site scripting is much more difficult to resolve later. Read about all the vulnerabilities and why they topped OWASP's list.

2. The Move to Web 2.0 Increases Security Challenges

A gold rush fraught with risks
The openness and freedom that are characteristic of Web 2.0 present unique and increased security risks to companies rushing to embrace the newest technology. The advantages of creating user communities must be balanced against protecting users from each other. A key challenge is to offer user generated content capabilities while integrating the proper level of security measures. Among the new Web 2.0 technologies, Ajax applications are beginning to be targeted by hackers. Careful planning is essential. Experts weigh in on the potential pitfalls of rushing headlong into Web 2.0.

3. 7 out of 10 Popular Web Applications are Dangerous

Financial firms had better watch out
Danger still lurks on the web application landscape. According to Cenzic's recent study, at least seven out of popular 10 Web applications have vulnerabilities that could potentially allow the theft of critical personal information or illegal money transfer. Two common culprits include design flaws and insecure configuration. Cenzic pointed out 1,561 unique vulnerabilities in a range of popular applications. Most of the vulnerabilities are easily exploitable and do not require hackers to be pros.

4. Who says security breaches are small potatoes?

How security breaches impact the corporate bottom line
Attorney Eric Sinrod warns that the impact of a computer security breach is not hypothetical. A security breach's fallout is real and can be immediate. Case in point is illustrated by the unauthorized intrusions into TJX Companies' computer systems. Costs related to the intrusions are soaring and include after-tax charges toppling millions of dollars. A hard lesson learned by this high profile breach is that companies of all kinds need to educate themselves and take steps to avoid a breach from ever occurring in the first place.

5. TJX: Data breach damage $25 million and counting

45.7 million credit and debit card holders are exposed to fraud
TJX Companies is paying a heavy price for its security breach that exposed millions of customers to identity theft and fraud. Now faced with an increasing list of lawsuits, TJX has paid $25 million so far to address the breach. Among those suing are three New England banking associations as well as individual banks to recoup money spent in replacing cards and covering fraudulent charges.

6. Pirate Bay breach leaks database

SQL Injection used to compromise system
Pirate Bay announced recently that a security hole in its blogging software was exploited. The intruder obtained the site's usernames and passwords via a SQL Injection vulnerability. Pirate Bay allows users to search for files offered by members including videos, audio, and game files, many of them pirated. Operators of the site found that the attackers had submitted the file containing the account information back to Pirate Bay's torrent tracker. The site's operators apologized, stating "Sorry for the mess, but we are human and we miss something sometimes."


>	Datasheet: Hailstorm Enterprise ARC
>	Datasheet: Hailstorm Pro
>	Datasheet: Hailstorm Starter
>	Datasheet: Hailstorm Core
>	White Paper: Beyond Simple Vulnerabilities Scanning
>	White Paper: Cross Frame Scripting
>	White Paper: Cenzic Imperative Assessment Plan
>	White Paper: Enabling Security in the Software Development Lifecycle (PDF)