HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: February 2010

Now Hiring: HP Application Security Center QA Engineer

Job Description
The HP Application Security Center group (HP ASC) is in search of a full-time Quality Assurance Engineer who is available to begin immediately.  HP ASC provides software and services to help enterprises protect against the loss of confidential data through the web application layer.  The company's flagship product line, WebInspect, assesses the security of an organization's applications and web services, the most vulnerable yet least secure IT infrastructure component.  Software developers, quality assurance professionals, corporate security auditors and security practitioners use WebInspect products throughout the application lifecycle to identify security vulnerabilities that would otherwise go undetected by traditional measures such as automated application testing tools, network firewalls, intrusion detection systems, or manual code reviews.


The ideal candidate for this position is someone who has a strong web application security background and an interest in performing technical quality assurance on commercial grade applications, and component and network-based enterprise applications.  A solid knowledge of HTTP and HTTPS protocols is required. The ideal candidate will have a web application development background. The position will include building test cases, configuring test environments, tracking defects, and performing regression testing in an independent environment. The ideal candidate must thrive in a fast-paced, hard-working development team and have a passion for keeping up to date on the latest technologies.  Mercury test tool experience is a plus.




-          Internet security background (including Web application security).


-          Experience With Web Technologies (Javascript, HTML, PHP, ASP, JSP, Ruby, Python,XML, Flash, Silverlight …)


-          Solid knowledge of HTTP and HTTPS protocols.


-          Experience with SQL Server and/or SQL Express.


-          Experience providing quality assurance in a Microsoft environment (.NET, Windows 2003, Windows XP, IIS.) is a plus.


-          Experience using the Mercury Interactive test tools is a plus.


-          Strong communication skills, both written and verbal.


-          Independent, self-motivated worker requiring little supervision.


-          Strong problem solving skills.


-          Degree in computer science, computer information systems or related field of study.




QA Engineer - HP Application Security Center (HP Software) Alpharetta, GA (Pipeline)-392594





Click here to apply online.


Agile security testing more costly when not included

While business cycles shortened, the need to deliver quality software at a much faster rate only increased. With this pressure came the shift from the 'waterfall' development approach (with its sequential, orderly milestones) to the Agile development methodology. The strength of Agile is that it can save organizations significant amounts of development time while still allowing them to deliver high-quality software. With Agile's fast pace, though, it's easy to see how many organizations would simply consider testing for application security defects to be too costly in terms of both time and resources.

But in reality, the financial cost of not including security testing within the Agile methodology can far outweigh the short-term benefits of not including it. Producing insecure software dramatically raise the costs of correction. According to the National Institute of Standards and Technology (NIST), it is 6.5 times more expensive to fix a flaw in development than during design, 15 times more in testing, and 100 times more in development.

Lack of application security testing also jeopardizes compliance with federal regulations such as HIPPA, PCI, and Sarbanes-Oxley (each of which has hefty fines for electronic data breaches). More than three-quarters of cyber attacks are directed against web applications. The danger today is not a single incursion that steals data, but a single incursion where malware is left behind and thefts can continue across a much larger period of time. Leaving one hole can quickly result in disaster.

It’s obvious that security is only ignored at your own organizational peril. But how do you incorporate security testing into the Agile methodology without grinding progress to a halt? Dennis Hurst has written an excellent white paper which documents how to do that. It’s available for download from here:

HP Agile White Paper

You can also read a case study of how an organization included secure Agile testing as part of their application development lifecycle here:


Top Five Web Application Vulnerabilities 1/25/10 - 2/14/10

1) SAP BusinessObjects URI Redirection and Cross-Site Scripting Vulnerabilities

SAP BusinessObjects is susceptible to multiple URI Redirection and Cross-Site Scripting vulnerabilities. These vulnerabilities can be exploited to execute code in the browser of an unsuspecting user, redirect users to malicious sites, and steal cookie-based authentication credentials. Fixes have not yet been released. Contact the vendor for additional information.


2) HP System Management Homepage 'servercert' Parameter Cross-Site Scripting Vulnerability

HP System Management Homepage is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. A solution has been released. Contact the vendor for further details.


3) Cisco Secure Desktop 'translation' Cross-Site Scripting Vulnerability

Cisco Secure Desktop is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage these issues to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which resolve this issue are available. Contact the vendor for more information.


4) SAP WebDynpro Runtime Unspecified HTML Injection Vulnerability

SAP WebDynpro Runtime (included with SAP NetWeaver) is susceptible to an HTML Injection vulnerability. HTML Injection is used to place ‘content’ in a web server’s response which can be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. Updates which resolve this issue are available. Contact the vendor for further details.


5) Apache Tomcat Directory Host Appbase Authentication Bypass Vulnerability

Apache Tomcat is susceptible to an authentication-bypass vulnerability. Successful exploitation would give an attacker unauthorized access to confidential files and directories. A patch which corrects this issue has been released. Contact the vendor for additional information.


On Web Application Scanner Comparisons...

On Wednesday, 2/3/2010, there was a report released by Larry Suto which promoted itself as reporting the "accuracy and time costs" of using web application scanners to identify vulnerabilities. This is the second review we’ve seen from Larry Suto (the first was in 2007 and compared HP WebInspect, IBM AppScan and NTO Spider). Unfortunately, there was quite a bit of controversy regarding his 2007 review due to the methodologies and overall incompleteness of the analysis performed on each web application scanner. This year, Larry released a report comparing several more web application scanners and has clearly spent quite a bit of time analyzing and collecting a large amount of data. Unfortunately, we believe that this report is not completely accurate and is incorrectly representing WebInspect as a product. Given that Larry’s report was targeted for the overall security community, it is particularly important that every vulnerability reported by each web application scanner be scrutinized to conclusively differentiate false positives and false negatives from correct findings. We are confident that this was quite an undertaking and will improve the state of application security as a whole.

As we mentioned, we believe HP WebInspect has been significantly misrepresented in this report. Of course this is the response anyone would expect from the vendor, but that doesn’t reduce its validity. We encourage anyone to download the trial version of WebInspect and scan these demo sites; we don’t wish to hide or mislead anyone within the security community, therefore we would be glad to provide an evaluation license that is capable of scanning any of the demo sites to interested parties. In order to perform our analysis, we focused on the vulnerabilities mentioned in Suto’s report excluding other vulnerabilities that WebInspect identifies. We believe this is overlooking a significant value proposition of WebInspect; however, this will allow us to fairly and accurately benchmark ourselves against the report. The percentage comparison is also unfairly weighted against vendors whose sites expose more vulnerabilities than others. For example, NTO’s Webscantest exposes a supposed forty-seven vulnerabilities, while Acunetix’s AspNet and PHP sites only expose a combined thirty-five. This is a poor statistical comparison between vendors, as it is clear that NTO’s applications will likely find all vulnerabilities on their demo site giving them a significantly higher starting point than other vendors.

After having completed our own research, we found that WebInspect discovered over twice the number of vulnerabilities that Suto reported. These scans were based on a zero-configuration “point-and-shoot” (completely default settings) scan of each of the demo web applications with simple user login scripts recorded to provide parity with the reports “point-and-shoot” methodology. It is important to note, that our default settings are optimized for normal sites, not sites full of quirky bugs to showcase parser/crawler edge-cases; handling these edge-cases by default would increase the scan time significantly (as highlighted in Suto's report) and by default our stance is to balance performance and edge-case-handling. We also identified several vulnerabilities that we believe to be false positives or not consistent representations with the author’s vulnerability results. Beyond the "reported" vulnerabilities, we have also found that WebInspect identifies several vulnerabilities in other vendors websites not mentioned in the report. Each of these findings and methodologies used by Suto raise serious doubts about the validity of the conclusions reached within his report for WebInspect as well as the other vendor’s scanners. And as we said before, we encourage the security community to validate our claims here as well.

Larry Suto states he selected this methodology in order to provide results that are reproducible to the greater security community. As you can see, we took that sentiment to heart. Keep in mind that we, the Web Security Research Group, routinely analyze the accuracy of the Application Security Centers products and improve them through research and daily updates of our vulnerability database. This is an ongoing effort focused on improving the accuracy and reproducibility of vulnerabilities that our products identify. I certainly wouldn’t call myself a traditional scientist, but security practitioners should validate the results of any other researcher prior to assuming any results were cannon.

You can download a trial version of WebInspect from the following location: http://bit.ly/uKb4I However, you will still need a special license to scan all the test applications utilized in the report. Please email Mark Painter at mark.painter@hp.com to receive assistance in aquiring a license.



Personal Health Information safety rules not being enforced

Although it didn't get a lot of publicity at the time, a November survey by the Healthcare Information and Management Systems Society (HIMSS) discovered that 1 in 4 responders had no procedure in place to conduct a security risk analysis to identify potential issues with electronic personal health information.

That's an incredible amount of HIPPA violations. The coffers must be absolutely stuffed with revenue from fines. And, yet, not so much. Is it really possible there hasn't been a single penalty for a HIPPA violation concerning a data breach? It's definitely not for lack of breaches. Those continue to occur at a rapidly increasing rate.

When you really get to the heart of the matter, compliance is about setting a benchmark by performing an initial security risk assessment, fixing any issues, and then repeating those tests on a regularly scheduled basis. It's not perfect (PCI compliance didn't help Heartland Payment Systems), but it's a federal regulation for a reason. It's a good start. It’s apparent from this survey and other sources that the transition to electronic medical records is not being matched by a commitment to secure personal health information.

Enforcement of the new HITECH security breach notification rules begins on February 23, 2010. Will the government use the teeth in these regulations, or will it be more of the same? There's at least been one case (http://www.ct.gov/ag/cwp/view.asp?A=2341&Q=453918) brought by a newly powered state attorney general. Hopefully they will do a better job of enforcement than the Department of Health and Human Services.



Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.