Web Application Security Newsletter -
November 2007

Editorial Comments:- A recent study by Connecticut-based law firm Scott & Scott indicates that four out of five (85 percent) of U.S. businesses have experienced a data breach. In a recent CSI/FBI Computer Crime and Security Survey, 95% of enterprises reported more than ten serious Web security incidents last year. Web applications continue to be a huge target for attackers. Another study indicated that 75 percent of all attacks occur against Web applications. With these staggering statistics as a backdrop, we found in our own survey conducted by Cenzic and Executive Alliance, that around 50% of respondents are somewhat to not confident that their current applications are secure from hackers. Our study also suggests that this lack of confidence reflects the fact that companies often have limited resources to secure their applications. Turning toward financial firms, as they continue to strive for greater application security, these firms are adopting such technologies as pattern analysis or anomaly-detection systems. Since many if not most companies will likely fall prey to a breach, we are all well advised to implement an ironclad plan for responding effectively should a breach occur. An Incident Response Team comprised of IT, HR, legal, and law enforcement is essential. A holistic, proactive, multi-faceted approach sprinkled with a good dose of common sense (and don’t forget the training) is a good recipe for the times.

1. Protecting Web-based applications from hackers

Consider these tips to avoid making a hacker's job easy
Industry analysts and enterprises alike are alarmed at the growing number of vulnerabilities found in Web-based applications. In fact, one recent study revealed that 75 percent of all attacks occur against Web applications. It's a double-edged sword: Web applications make life more convenient for businesses and customers while often making attacks too easy for the bad guys. Since sensitive data is usually an attacker's target, applications must be designed and implemented with security as a major priority. As a single solution, Secure Sockets Layer (SSL) encryption is not enough. Read about essential core components to consider when choosing a Web application security tool for your security foundation.

Read More

2. CSI 2007: Disclosing a data breach? Not so fast!

Assume a breach will happen and plan ahead
Experts advise that everyone should assume their company can someday be hacked. If recent surveys are an indication, your company is in the minority if you escape such an incident. This article stresses that it is critical to formulate clear policies and procedures in the event of a breach. Many states now mandate a disclosure; however, before rushing into action, the facts need to be gathered, clearly understood, and stated. Read about launching a cohesive Incident Response Team that combines the forces of IT, HR, legal, and law enforcement.

Read More

3. Get the 2007 Web Security Leadership Survey Results

Many are insecure about Web application security
A total of 476 cross-industry executive and professionals participated in this recent survey conducted by Cenzic and Executive Alliance to assess the current state of Web application security. Around half of the respondents expressed a lack of confidence in their Web application security. More than half felt that senior management does not yet grasp the financial implications of a potential data breach or attack. Yet data breach incidents were cited as the highest priority security risk in 2007. Read about other key findings and how your company compares with the opinions of those surveyed.

Read More

4. Financial Firms Continue to Struggle to Plug Security Loopholes

Firms look toward new technologies to stem the tide of attacks
A recent study indicates that 85% of U.S. businesses have experienced data breaches, placing millions of consumer's social security numbers and other information in criminals' hands. Indeed attackers are achieving new levels of sophistication. One trend involves multistage attacks whereby attackers gain access first to third-party financial sites and then hop to banking or financial sites. Encryption and stronger user authentication is no panacea. Though the credit card industry is no stranger to a technology called "pattern analysis," Wall Street is catching on. It is but one approach in the ongoing battle to stay a step ahead of the bad guys.

Read More

5. Lessons Learned from Five Years of Building More Secure Software

Learning from the past to secure a better future
Author Michael Howard shares best practices gleaned from lessons he has learned over time in the arms race to stay ahead of attackers. Michael points out the tendency to fixate on code; however, some security vulnerabilities are really more of a design issue. Beyond code review, a technique such as attack surface analysis reveals the portions of software that are vulnerable to untrusted users. The "many eyeballs mantra" and a push for ongoing training seem like mere common sense, but in the reality of market pressures might often be overlooked. Many of these tips are well worth repeating and warrant closer examination.

Read More

6. PCI DSS Council adding new standard for payment applications

New provision aimed at forcing increased security for payment applications
The new Payment Application Data Security Standard is based on Visa's Payment Application Best Practices (PABP). A draft has been submitted to the Council with a final version expected in early 2008. Visa created the standard to help software vendors and others develop secure payment applications that support compliance with the PCI DSS.

Read More