HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: November 2010

Top Five Web Application Vulnerabilities 11/15/2010 - 11/28/2010

1) SAP NetWeaver SQL Monitor Multiple Cross-Site Scripting Vulnerabilities

 

The SQL Monitor  of SAP NetWeaver is susceptible to multiple instances of Cross-Site Scripting. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Fixes for these issues have been released. Contact the vendor for additional details.

 

http://www.securityfocus.com/bid/44904

 

2) IBM WebSphere Application Server Cross-Site Scripting Vulnerability

 

IBM WebSphere Application Server is susceptible to a Cross-Site Scripting vulnerability. This can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials.  Updates which resolve this vulnerability have been released. Contact the vendor for further information.

 

http://www.securityfocus.com/bid/44875

 

3) Cisco Unified Videoconferencing Multiple Vulnerabilities

 

Cisco Unified Videoconferencing is susceptible to multiple vulnerabilities including remote command injection and cookie session hijacking.  The first issue can be leveraged by an authenticated ‘administrator’ to execute arbitrary commands with root-level privileges of the Linux operating system.  The second issue can be exploited to gain access to the affected application. Fixes for these issues have not been released as of this writing. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/44922
http://www.securityfocus.com/bid/44926

 

4) Apache Tomcat 'sort' and 'orderBy' Parameters Cross-Site Scripting Vulnerabilities

 

Apache Tomcat is susceptible to multiple Cross-Site Scripting vulnerabilities. An attacker can leverage these issues to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks.  Updates which resolve these issues are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/45015

 

5) Jetty Web Server Plugin for Eclipse Multiple Cross-Site Scripting Vulnerabilities

 

The Jetty Web Server plugin for Eclipse is susceptible to multiple Cross-Site Scripting vulnerabilities. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if these vulnerabilities are successfully exploited. An update which resolves these vulnerabilities has been released. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/44883

Decoupling the 'False Positive'

There’s often a significant amount of debate between internal appsec groups and developer groups around the topic of false positives. What exactly determines whether something is or is not a true false positive? And how can appsec groups synchronize so as to reduce confusion on the topic?

 

Semantics lie at the center of many arguments, and the debate around “false positives” offers no exception. What I’ve found is that there are often two different meanings that are being used in a single discussion about false positives, and if each side doesn’t realize which definition the other is using, chaos will ensue. Here are the two definitions I most commonly encounter:

 

  1. The tool is claiming something that isn’t true, i.e. the vulnerability that it says it found actually was not found. One example of this might be the presence of a secretfile.aspx.bak file. The tool says it found the contents of this .aspx file, but when you look at the response you see that it’s no more than a custom 404 page.
  2. The finding is technically correct, but nobody cares, i.e. a finding comes back saying that a password value is being passed via GET request to a given application, and the issue has been fully explained to the development team and management; they’ve simply decided not to change it.

 

Let’s forget for a moment that development groups (or any IT group really) shouldn’t be “deciding” anything when it comes to risk. The point here is that they acknowledge that the claim made by the tool is accurate—they simply don’t think it’s important enough to call an issue or defect.

 

This distinction is critical when appsec groups are communicating with development groups and management. I recommend keeping the term “false positive” firmly nailed down to the concept of the tool being accurate in its claims, and insisting that another term be used for not believing the issue identified is worth addressing.

 

Language matters. Insisting that key terms like these are used both correctly and consistently will prevent excessively long and repetitive email threads over semantics which can result in increased pushback from development and management groups.

 

So, as a follow-up, what do you see being used as a term for the "ignored positives"? Accepted risks? Another coloquialism? Let me know in the comments. Also, feel free to reach out to me at daniel.miessler@hp.com.

Labels: appsec| infosec

WAF Is Not a Four Letter Word (Web Application Firewalls Don't Totally Suck!)

Let's start this conversation by postulating 3 immutable Laws of Application Security Testing (LAST):

 

1) No static application security testing tool (SAST) can catch 100% of software vulnerabilities during development (though tools like HP's Fortify SCA  do an extremely thorough job);

 

2) No black box testing/DAST tool can find 100% of the application vulnerabilities in live applications (though HP WebInspect identifies hard-to-find vulnerabilities, undetectable by traditional scanners, in the world of Web 2.0 and increasingly complex web apps);

 

3) #1 and #2 are always true even  if, as Voltaire's Dr. Pangloss erroneously states in Candide, we live in the "best of all possible worlds." In security, even the most forward-thinking organizations are riddled with strategy shortfalls, cost/benefit sacrifices, staffing holes, faulty implementations, and plain old human error. 

 

Application security purists, both inside and outside HP, often consider WAFs (Web Application Firewalls) to be crude, suboptimal tools used by the clumsy or lazy organizations that are not nimble, visionary, or skilled enough to implement static application security testing in the development lifecyle and dynamic application security testing for applications in production.

 

One of my most brilliant, esteemed colleagues recently dismissed the WAF as merely "a hack".

 

Conceptually, the purists are correct.

 

Unfortunately, entropy is an unavoidable fact in today's enterprises.

 

Consider this situation:

 

You're a typical large enterprise with hundreds of untested web applications, many of which capture critical sensitive data like credit card numbers and partner information. Today you decide to initiate a testing program, implementing both SAST (development code testing) and DAST (black box testing for live apps). Penetration tests are easier to start running first as your development organization gets comfortable with source code analysis, so you start there.

 

As you run penetration tests against your most sensitive applications, you begin finding vulnerabilities in payment system applications that put customers, partners, and your reputation at risk. The development organization has a long pipeline, and changing the code will take months. Taking the application down will cripple your cash flow, so that's a non-starter. Meanwhile, there's a chance that the detected vulnerabilities will remain unexploited, but that's a risk none of your senior managers are willing to take for ethical, compliance, legal, and marketing reasons.

 

What to do?   

 

Being able to implement a quick response to prevent a potential attack is critical. WAFs can quickly implement new policy settings to protect business-critical application until the source code fixes are live.

 

In addition, in the best of all possible worlds DAST tools would share intelligence with a WAF, providing vulnerability data to make the WAF more effective.

 

Again, some smart organizations (many of which are HP customers) are moving toward a "test everything in development and in production" model; however in cases where, for example, an application is out of support or the vendor provider is defunct, getting continued access to source code is problematic.

 

WAF is not a panacea. WAFs makes sense in some cases, not in others. A WAF is never a silver bullet substitute for secure coding/dynamic testing

 

"Test it and fix it" is always the correct optimal answer. "Shield it as it is waiting to be fixed" is the part of the answer - in certain use cases - that application security Panglosses don't want to hear.

 

I'm interested in what others think of the need for WAFs (and for DAST/WAF information sharing in certain real-world use cases. Am I out to lunch?

Top Five Web Application Vulnerabilities 11/1/2010 - 11/14/2010

1) SAP NetWeaver Composition Environment 'sapstartsrv.exe' Remote Code Execution Vulnerability

 

SAP NetWeaver Composition Environment is susceptible to a Remote Code Execution vulnerability. An attacker can leverage this vulnerability to execute arbitrary code with user level privileges. Failed attempts would likely result in a denial-of-service condition.  Updates which resolve this issue have been released. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/44731

 

2) Microsoft Forefront Unified Access Gateway 'Signurl.asp' Cross-Site Scripting Vulnerability

 

Microsoft Forefront Unified Access Gateway is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve this issue have been released. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/44634

 

3) HP Insight Control Performance Management Multiple Vulnerabilities

 

HP Insight Control Performance Management is vulnerable to multiple vulnerabilities including Arbitrary File Download and Cross-Site Scripting. Cross-Site Scripting can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. The Arbitrary File download issue can be leveraged by an attacker to view arbitrary files within context of the application, possibly revealing information which could be utilized to form more damaging attacks. Updates which resolve these issues are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/44585
http://www.securityfocus.com/bid/44583

 

4) Novell GroupWise Cross-Site Scripting Vulnerability

 

Novell GroupWise is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage this issue to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which resolve this issue are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/44732

 

5) Juniper Networks Secure Access 'meeting_testjava.cgi' Cross-Site Scripting Vulnerability

 

Juniper Networks Secure Access devices are susceptible to a Cross-Site Scripting vulnerability. Arbitrary script code can be executed in  the browsers of unsuspecting users if this vulnerability is successfully exploited. Fixes for this issue have been released.  Contact the vendor for more information.

 

http://www.securityfocus.com/bid/44709

The HP Web Security Research Group is hiring!

The HP Web Security Research Group is seeking highly talented web application security experts to work on our cutting edge web application assessment technology. These positions will work out of our office in Alpharetta, GA. We want somebody interested in discovering vulnerabilities in RIA like Silverlight and Flash, and who wants to tackle intriguing issues like JavaScript static analysis. We need individuals interested in finding the best methods for automating detection of issues like XSRF, persistent XSS, and URL rewriting. We're working on these challenges and  more, all in a fun, challenging, and fast-paced environment.

 

If you're interested (and why wouldn't you be?), contact Gabby Braslavsky (gabriel.braslavsky@hp.com) for additional information.

Relax! HP can do that!

A Hibachi in the Datacenter? Watch this latest video now to see how the new intern Stuart and his colleagues are saving time and money by working with HP to move key services into the Cloud and using the HP Software portfolio to simplify, automate and secure IT for business.

 

Please Allow Me to Introduce Myself (What's My Name?)

I have been counseling enterprises in product management/marketing roles for over 10 years from such venues as Top Layer Networks, Internet Security Systems, and Barracuda Networks. I recently spent a few years at Gartner as a network security analyst, where many of my customer inquiries started as firewall/IPS questions, but were really about protecting business-critical applications.


It's become an industry cliche that approximately 80% (maybe it's 75%, maybe it's 85% - whatever the percentage is, it's a BIG number) of attacks are directed at applications. As the problem has grown increasingly dire, I have sought opportunities to help make applications more secure. As a result, I am thrilled to have joined HP's Application Security Center as a Senior Product Manager , running ASC's flagship product WebInspect.


In the month I've been here, HP has acquired Fortify, whose static analysis perfectly complements WebInspect's dynamic analysis. We’ve also announced the intention to acquire ArcSight, the industry-leading SIEM provider. Add those to the Network IPS/threat research goodness Tipping Point has added, and you see why it's a massive understatement to say that HP security is an exciting place to be!


As we on the application security side strive to secure exponentially-more complex web applications in environments with Web 2.0 technologies (HTML 5, anyone?), I'll be reaching out through this blog to posit crackpot theories about security best practices, risk reduction, emerging threats, enterprise pain points, and industry headlines; in addition, I will share HP application security news, and ask your opinions about what's coming around the bend in the chaotic world of web application security.


In that spirit, let me ask you a couple of questions we're currently asking our customers:
 

1) What percentage of your apps are using Web 2.0/RIA (Rich Internet Application) technologies?

2) What technologies do your applications use....Silverlight? AJAX? Flash?


Please comment early and often!

Top Five Web Application Vulnerabilities 10/18/2010 - 10/31/2010

1) Cisco CiscoWorks Common Services Web Server Module Buffer Overflow Vulnerability

 

Cisco CiscoWorks Common Services is susceptible to a remote Buffer Overflow vulnerability because it fails to properly bounds check user-supplied data.  This issue can be exploited to execute arbitrary code with system level privileges, possibly leading to a complete compromise of the affected system. Failed exploit attempts will likely result in a denial-of-service condition. Updates which resolve this issue are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/44468

 

2) IBM Rational Quality Manager and Test Lab Manager Remote Code Execution Vulnerability

 

IBM Rational Quality Manager and Test Lab Manager is susceptible to a remote code execution vulnerability. An attacker can leverage this to execute arbitrary code in context of the Tomcat web server. Updates which resolve this issue are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/44172

 

3) HP Systems Insight Manager Multiple Vulnerabilities

 

HP Systems Insight Manager is susceptible to multiple vulnerabilities including Cross-Site Scripting and Cross-Site Request Forgery. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Cross-Site Request Forgery relies on a browser to retrieve and execute an attack. It includes a link or script in a page that connects to a site that the user may have recently used. The script then conducts seemingly authorized yet malicious actions on the user’s behalf. Updates which resolve these vulnerabilities are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/44263

http://www.securityfocus.com/bid/44262

 

4) HP Insight Recovery Multiple Vulnerabilities

 

HP Insight Recovery is susceptible to multiple vulnerabilities including Cross-Site Scripting and an issue that attackers can leverage to download arbitrary files. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if Cross-Site Scripting is successfully exploited.  The arbitrary file download issue can  be exploited to view files in context of the application, likely giving attackers information which could be utilized in formulating more damaging attacks. Updates which resolve these vulnerabilities are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/44545

http://www.securityfocus.com/bid/44542

  

5) IBM Tivoli Access Manager for e-business Multiple Cross-Site Scripting Vulnerabilities

 

IBM Tivoli Access Manager for e-business is susceptible to multiple Cross-Site Scripting vulnerabilities. An attacker can leverage these issues to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which resolve these issues are available. Contact the vendor for additional details.

 

http://www.securityfocus.com/bid/44382

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog

Featured


Follow Us
Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.