HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: December 2010

Fearless Security Predictions for 2011

As we gather around our holiday Yule logs and eggnogs, it's time to think about what lies ahead for the security world in 2011.

 

1) Applications will be the main attack vector, comprising 85% of total attacks in 2011. Application security WILL NOT comprise 85% of enterprise security budget spend, leaving enterprises open to damaging attacks

 

2) Port 80 will continue pouring malware through wide-open firewalls, yet firewalls - which lack even basic application awareness - will continue as one of the largest line items in security budgets

 

3) New threats will emerge (Yes, Virginia, there is a Stuxnet); the old reliable such as cross-site scripting and SQLi will garner many fewer headlines, causing infinitely more damage. Make sure you address the fundamentals before worrying about new boogiemen such as "Advanced Persistent Threats" (which to this point is mostly a way to package existing attacks to more persistently threaten enterprise security budgets)

 

4) Security platforms will deliver complementary safeguards in an integrated, well-managed manner. Yes, I know you've been bitterly disappointed by endpoint protection platforms and UTMs, wherein a bunch of technologies are thrown in a bag and sold together, providing a chaotic sub-optimal jumble. However, next-generation firewalls, secure web gateways - and, of course, hybrid application security scanning solutions will  change the game in 2011. Also, dynamic scanning will make web application firewalls much more effective.

 

5) Physical security and information security will still not merge

 

6) "Compliance" will be as good a sales tool for savvy CISOs inside their organizations as it is for security vendors today. CISOs will learn the vendor FUD-laced vernacular of compliance and risk management, and will use that to drive new security projects into their organizations

 

7) On a related note (to #6), QA departments will ramp up interest in QA security testing

 

8) Securing the cloud will be much more critical than delivering security services from the cloud. "Cloud" will accelerate as a marketing term of art to help mundane tool vendors make their wares sound way cooler than they are

 

9) Security industry consolidation will continue, but new vendors will still crop up to address new threat types quickly; the path to large-vendor acquisition will shorten

 

10) Bad guys will innovate quickly; insiders will steal stuff voraciously; security vendors will react slowly - those who react fastest and most effectively will win in 2011.

 

 

 

 

HP Applicatio​ns 11.0 helps accelerate the delivery of modern applications


Here's an interesting post about HP Applications 11.00, a collection of software, services and education designed to give IT applications teams the tools and knowledge to help them deliver secure, reliable applications on time and under budget (no small feat, that).

 

http://h30501.www3.hp.com/t5/Applications-Start-Here/Accelerate-the-delivery-of-modern-applications-Welcome-HP/ba-p/13565

Testing for Cross-Site Request Forgery Just Got a Lot Easier

What a waste....In this most frigid season, sea surf (CSRF) is up!

 

Over the past couple of years, Cross-Site Request Forgery has become one of the most prevalent and dangerous web application security vulnerabilities.  Developers have had a hard time preventing it from sneaking into their code,  and security experts have had a hard time finding it when it has.  There have been several prominent CSRF holes found and exploited in the past year, including a very embarrassing (and brand-diminishing) Facebook vulnerability.

 

OWASP provides a great definition of this pernicious vulnerability, which it ranks #5 in its 

Top 10 AppSec Risks for 2010:

 

"CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. "

 

Successful CSRF exploits can be almost unlimited in their business impact - the impact is limited only by the level of access the user enjoys.

 

At the risk of spreading FUD , I must come clean and admit that black box testing solutions have done, to this point, an inadequate job (as RSnake points out in this post)  of identifying CSRF vulnerabilities. This applies to all commercially-available scanners.

 

This week, HP's Web Security Research Group has made life infinitely more difficult for CSRF-dealers trying to exploit web applications tested by WebInspect 8.1. Essentially, the ability to find these vulnerabilities is greatly enhanced, and false positives are drastically reduced through a check that adds important criteria to validate a potential CSRF vulnerability. These new measures are available to current users who load the most recent batch of WebInspect SmartUpdates.

 

For those who do not currently hold WebInspect 8.1 licenses,  download a trial version from this page. Run it against this test site, and see just how vulnerable Web apps are to these exploits; if you really want a scare, take the next step, contact HP, and run it against your own site.

 

Top Five Web Application Vulnerabilites 11/29/2010 - 12/12/2010

1) JBoss Enterprise Application Platform Multiple Remote Vulnerabilities

 

JBoss Enterprise Application Platform is susceptible to multiple vulnerabilities including remote code execution and Cross-Site Request Forgery.  Successful exploitation will give an attacker the means to execute arbitrary code within the context of the affected application, deny access to legitimate users, and perform certain administrative functions. Updates which resolve these issues are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/45148

 

2) Citrix Web Interface Cross-Site Scripting Vulnerability

 

Citrix Web Interface is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve this vulnerability are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/45291

 

3) Google Web Optimizer Control Script Cross-Site Scripting Vulnerability

 

Google Web Optimizer is susceptible to a Cross-Site Scripting vulnerability. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if this vulnerability is successfully exploited. As of this writing, a fix has yet to be released. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/45310

 

4) Apache Archiva Cross-Site Request Forgery Vulnerability

 

Apache Archiva is susceptible to a Cross-Site Request Forgery vulnerability. Cross-Site Request Forgery leverages the trust a web application places in a user to make authenticated requests to a target site for which the user is logged in, and can be used to abuse any type of functionality the target web application contains. Updates which resolve this vulnerability are available. Contact the vendor for additional details.

 

http://www.securityfocus.com/bid/45095

 

5) IBM Rational ClearQuest CQ Dojo Toolkit Cookie Information Disclosure Vulnerability

 

IBM Rational ClearQuest is susceptible to a remote information disclosure vulnerability that could give an attacker the means to access cookies. Updates which resolve this vulnerability are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/45370

Cyber War? Not so much (at least for now)

Remember the old episode of Star Trek where wars were only fought virtually? Granted, citizens deemed virtual causalities still had to enter the extermination chamber, so it wasn't without consequence. Apart from the nuisance (and in the case of Visa, having to switch to serving the majority of their site through Akamai), the WikiLeaks cyber skirmishes barely registered any real word consequences at all (media hysteria notwithstanding).  So, it's not hard to see why the pundits are going out of their way to dismiss these attacks as nothing. Even if the damages were insignificant, the attacks do serve to illustrate a few points.

 

If your organization takes any kind of controversial stance, you will be attacked. Sarah Palin is lucky caribou don't control botnets. Visa, MasterCard, and Paypal might have been better served to shift the blame to the old standby scapegoat, the government.

 

DDoS attacks have been around a long time. What's different now is the ease with which they can be conducted. Operation Payback let users 'infect' themselves, as it were, to contribute to the attacks.

 

The WikiLeaks skirmishes are little more than the brush wars of digital warfare. Bruce Schneir (shocker) had some great insight:

 

"Calling the WikiLeaks back-and-forth a cyber war is "completely idiotic," said Bruce Schneier, chief security technology officer of BT, a communications company.'War. W-A-R. It's a big word,' Schneier said. 'How could this be a cyber war? It's certainly a cyber attack, right? It's certainly politically motivated. But this stuff has been going on for a couple of decades now. Do you mean there have been thousands of wars that haven't been noticed? It doesn't make any sense at all. If there was a war, you'd know it, and it would probably involve tanks and artillery -- as well as cyber weapons.'

 

He's right, this is not a war...yet. Stuxnet makes me wonder, though, how close we are. We've already seen a weaponized virus that was extremely fine-tuned to inflict damage on Iran's nuclear program. I'm not convinced there isn't a digital Dien Bien Phu event lurking on the horizon where cyber attacks are used to level the playing field between small groups or nations and the established powers. How long, really,  before a cyber attack actually costs human life? What would you call it then?

Managing Web Application Vulnerabilities in Multiple Browsers

browsers.jpg

 

Customers often ask how they can test whether a given web application is secure or insecure in a given web browser. The issue of browser variation in web application security is a complex one, but here are a few key points I like to cover with customers:

 

  1. WebInspect doesn’t use a browser to make requests. It uses its own scanning engine to create raw requests to check for vulnerabilities. It is true that WebInspect does send a user-agent string along with requests, and that this is by default set to impersonate Internet Explorer, but this should not be confused with emulating Internet Explorer.

  2. Our scanning engine is focused on finding vulnerabilities on the server side moreso than the client side. How browsers handle malicious content is a separate issue altogether, as this is not a matter of what questions are asked (queries), but rather how the answers are handled, e.g. malformed PDFs, evil JavaScript, etc.

  3. Consider that it’s not just that one browser to the next is different, but also that even within a single browser there can be massive differences in vulnerability levels from one version to the next—and these are being released constantly. As such, in order to properly test a given environment (on the browser side) you’d have to maintain an inventory of all browsers used—and all versions of that browser.

  4. Keep in mind that we’re talking web security here, i.e. keeping the web applications as secure as possible. In that role we don’t have the option of controlling the browsers that are used by visiting customers. Our best approach is to reduce the number of vulnerabilities present on the server so that there will be fewer vulnerabilities that the customer’s browser will have to handle—whatever their browser (and version) may be.

 

 

Notes

1 Post vector graphic from webdesignhot.com.

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
Follow Us


HP Blog

HP Software Solutions Blog

Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation