HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: April 2011

Was the Playstation breach a good thing?

Whenever there is a massive data breach,  bloggers and assorted punditry alike proclaim that this is it...this is when we move from the age of the data breach to the age of data security. This is when corporations stop saying security is important and instead act like it.

 

I'm not quite convinced we've reached critical mass just yet. But we are definitely being goosed towards some sort of sea change. Here's where we seem to stand as we climb the hill towards the tipping point:

  

  • It's hard to call data security anything but broken. Breaches continue to grow in both number and seriousness.

 

  • Penalties for failing to disclose data breaches in a timely fashion outweigh penalties for failing to secure data in the first place. There are no penalties for failing to secure – until there’s a breach. 

 

  • Governments around the world are lining up to take a big fat bite out of Sony. 

 

  • The payoff to keep their customers 'happy' is going to be massive.

 

  • This is going to wind up being the costliest data breach on record (at least until the next one).

 

  •  Consumers are not yet irate enough to demand change. The longer the Playstation network stays unavailable, the more likely that is to change, at least in this instance.

 

  • Hackers who know how Sony handles security think the relationship between the client and the server was the source of the breach. If you trust that relationship without adding security to it, you're simply asking for trouble, even if you think you own the client.

 

  • Organizations still haven't figured out how to notify customers of data breaches without initial awkward missteps. Waiting a week to notify their customers was clumsy, at best.

 

So, how was this a good thing? Ok, it wasn't, but some positives can come frome it. So how do we turn those frowns upside down?  For one thing, it's hard to imagine that Sony will take security lightly in the future. If nothing else, this is going to serve as a warning to other organizations like no other breach has before. And in the 'double-edged' sword category, we're likely to see some actual bipartisan (gasp!!) movement towards legislation trying to improve data security. At some point, security is just going to be  part of the costs of doing business instead of something slapped on at the end. Baked in, not brushed on...you're day is coming.

Need to implement an application security program? Try HP Application Security Center on SaaS

All organizations understand that web application security is important. There have been too many breaches, fines, and outlandish movie plots to think otherwise. The problem isn't that organizations don't want to secure their web applications...of course they do. It's just that a lot of them have no idea of where to start, while others have misconceptions about web application security that lead them to believe they are more secure than they really are.

 

It's a daunting challenge, to say the least. A recent survey of web application security practices revealed that a full quarter of the respondents didn't know how many web applications they have. 20% of the respondents performed no application security testing  whatsoever, and another 40% only tested 5% of their applications. Others thought their ISP would automatically protect their web applications.  None of that is exactly comforting.

 

So how do organizations with limited budgets and no idea of where to begin get the most bang for their security bucks? The HP Application Security Center on SaaS offering is a good beginning. It enables you to jumpstart your web application security program and avoid the pitfalls that can imperil application security efforts. What SaaS provides is not a solution for customers who simply want a snapshot of their current web application security landscape. It's designed for organizations who want to build a web application security program from the ground up, and do it right. For a lot of organizations who don't have the resources to do that, it offers the most effective and beneficial solution. The SaaS model provides a managed environment that minimizes the need for additional in-house resources, whether personnel, servers, or systems. Our team can help you establish a security program or provide turn-key security assessment services to augment your security program. With HP ASC on SaaS, your organization stays protected from costly security breaches, remains compliant with government and industry regulations, and even reduces the long-term costs associated with secure application development and maintenance.

 

For more information, visit https://portal.saas.hp.com/site/html/asc.mss

 

Top Ten Web Application Vulnerabilities 4/4/2011 - 4/17/2011

1) Computer Associates Total Defense Multiple Vulnerabilities

 

Computer Associates Total Defense is susceptible to multiple vulnerabilities including remote code execution and SQL Injection.  Successful exploitation of the remote code execution vulnerabilities would give an attacker the means to execute arbitrary code with elevated privileges, possibly leading to a complete system compromise. Failed  attempts will likely result in the crash of the affected service. SQL Injection can give an attacker full access to a backend database, and in certain circumstances can be utilized to take complete control of a system.  Updates which resolve these vulnerabilities are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/47355
http://www.securityfocus.com/bid/47357
http://www.securityfocus.com/bid/47356

 

2) Novell ZENworks Configuration Management ZAM File Remote Code Execution Vulnerability

 

Novell ZENworks Configuration Management is susceptible to a remote code execution vulnerability.  Successful attacks will give an attacker the means to execute arbitrary code in context of the ZenWorks user and lead to a complete system compromise. Failed attempts will likely result in a denial-of-service condition. Updates which resolve this issue are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/47295

 

3) Ruby on Rails Cross-Site Scripting Vulnerability

 

Ruby on Rails is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve this issue are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/47186

 

4)SAP Netweaver Multiple Cross-Site Scripting and Information Disclosure Vulnerabilities

 

SAP Netweaver is susceptible to multiple Cross-Site Scripting and information disclosure vulnerabilities. Cross-Site Scripting can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials.  The information disclosure vulnerabilities can be leveraged to gain access to confidential information that could likely be utilized in orchestrating more damaging attacks.  Updates which resolve these issues are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/47360
http://www.securityfocus.com/bid/47391

 

5) HP Network Node Manager Unspecified Cross-Site Scripting and Unauthorized Access Vulnerabilities

 

HP Network Node Manager  is susceptible to Cross-Site Scripting and unauthorized access vulnerabilities. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if Cross-Site Scripting is successfully exploited.  The unauthorized access vulnerabilities can be leveraged to gain unintended access to the application. Updates which resolve these issues are available. Contact the vendor for additional details.

 

http://www.securityfocus.com/bid/47341

 

6) BlackBerry Enterprise Server Web Desktop Manager Component Cross-Site Scripting Vulnerability

 

The Web Desktop Manager component of BlackBerry Enterprise Server is susceptible to Cross-Site Scripting. An attacker can leverage Cross-Site Scripting to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/47324

 

7) McAfee Firewall Reporter 'GernalUtilities.pm' Authentication Bypass Vulnerability

 

McAfee Firewall Reporter is susceptible to an authentication bypass vulnerability.  Successful exploitation will give an attacker access to sensitive information which could likely be leveraged to conduct more damaging attacks. Fixes which resolve this issue have been released. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/47306

 

8) WordPress Multiple Security Vulnerabilities

 

WordPress is susceptible to multiple vulnerabilities including Cross-Site Scripting and Cross-Site Request Forgery.  If exploited, these vulnerabilities could lead to the theft of confidential information and authentication credentials, execution of malicious scripts in the browsers of unsuspecting users, or abuse of the trust a web application places in a user.   Updates which resolve these vulnerabilities are available. Contact the vendor for more information.
 
http://www.securityfocus.com/bid/47187

 

9) HP Photosmart Printers Multiple Security Vulnerabilities

 

HP Photosmart Printers are susceptible to multiple security vulnerabilities including Cross-Site Scripting and information disclosure.  Cross-Site Scripting can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials.  The information disclosure vulnerability can be leveraged to gain access to confidential information that could likely be utilized in orchestrating more damaging attacks.  Updates which resolve these issues are available. Contact the vendor for further information.

 

http://www.securityfocus.com/bid/47319

 

10) Apache Tomcat HTTP BIO Connector Information Disclosure Vulnerability

Apache Tomcat is susceptible to an information disclosure vulnerability. Successful exploitation would give an attacker access to sensitive information which could likely be utilized in conducting more dangerous attacks. Updates which resolve this vulnerability are available. Contact the vendor for additional details.

 

http://www.securityfocus.com/bid/47199

Walking and Chewing Gum at the Same (Real) Time

Putting the "Real-Time" in "Hybrid Analysis" (While Delivering Dynamic Scanning Goodness)

My wife tells me that men are terrible at multi-tasking. While this is very true in my case, it is not at all true of the men and women comprising HP's application security team. As HP Application Security Center (previously-known as SpiDynamics) have innovated a new paradigm for "Hybrid Application Security" with HP Fortify, we have continued building our dynamic testing best-of-breed portfolio.

 

********

I. Walking

 

HP has released its "Real-Time Hybrid Analysis" solution, announced today. Its enabling technologies include recent releases of HP Fortify 360 v3.0 and HP Application Security Center v9.0. 

 

The term "Hybrid application security" has been around since at least 2006. It describes the proposition that security testers should be able to test effectively across the development lifecycle, correlate the results, and make remediation less painful. Within this vision, dynamic web application testing tools and static source code security testing tools would interact and improve each other in several significant ways.

 

The problem with other "Hybrid" solutions is that - while correlation can occur - often painfully - on the backend, there is no way for the static and dynamic pieces - by themselves or together - to empower improved real-time (or even near-real-time) application security intelligence in order to make security testing more than just point solutions with correlated results.  

 

HP has now tackled this problem in a new and innovative way. HP's solution includes runtime analysis technology, which maintains a "watch" on the application and can observe security attacks in the code as they happen. Runtime analysis also takes results of dynamic scans and then connects them directly to source code analysis, revealing hidden vulnerability relationships, and exposing root cause within the application source code. This allows security teams to increase security testing results relevance,   reduce the time to fix security issues, and   prioritize vulnerabilities and resources more intelligently.

 

In addition, HP has recently integrated its dynamic and static testing solutions into HP Fortify On Demand, providing a one-stop delivery platform for fast, accurate, cost-effective security-as-a-service.

 

II. Chewing gum

 

As the Real-Time Hybrid Analysis vision has been realized, HP Application Security Center has continued innovation for its products. HP WebInspect 9.0 and HP Assessment Management Platform (AMP) 9.0 have been developed with three primary goals: 1) Focus on the security tester's job (by improving performance and making life easier); 2) Improve performance against emerging complex web applications; and 3) Add even more advanced vulnerability detection technology.

 

We focused on the tester's job by introducing vulnerability review with re-test, giving a tester charged with verifying fixes the ability to identify, re-run and re-test the COMPLETE path to a critical vulnerability; and to identify and directly compare changes in the application's behavior from previous testing. In our AMP 9.0 product, we have introduced "Assessment Workspaces". These build a single point of record for application security assessments to support Security Intelligence initiatives; correlate vulnerabilities across scans and across technologies; and provide a way to build off of previous Assessments.

 

To accomplish goal #2 (enhancing or performance against complex web apps), we have leveraged cross-HP web services technology and expertise; enhanced our action-based macro recorder; and provided post-scan analysis and recommendations.

 

Finally, goal #3 is realized as we introduce a new timing-based method to detect blind SQL injection; attack the problem of DOM-based cross-site scripting in unique, innovative ways with a new vulnerability detection engine; and identify application locations susceptible to cross-site request forgery (CSRF).

 

********

Clearly, given our success in delivering Real-time Hybrid Analysis as we have continued to separate ourselves from the dynamic application security testing field, we can walk and chew gum at the same time.

 

Just don't ask me to listen to songs I enjoy as I'm writing. Security blog posts and Frank Zappa lyrics are best left unmingled.

 

Watch out where the huskies go, and don't you eat that yellow snow.

 

HP's "Top Cyber Security Threats" Report Helps to Navigate Stormy, Vulnerability-Infested Waters

"The fishermen know that the sea is dangerous and the storm terrible, but they have never found these dangers sufficient reason for remaining ashore."

 

-- Vincent van Gogh

 

Van Gogh is correct. In our increasingly-connected, ever-webby world, we can't let fear of the threatening stormclouds of bad guys stop us from maximizing our business and personal returns. I would have added a second sentence, however: "Successful fishermen who stay alive understand the sea's danger and how to mitigate risk before they leave shore."

 

In that spirit, HP announced yesterday the release of the "2010 Top Cyber Security Risks" report. Largely powered by the big brains at HP Tipping Point's DV Labs (with assistance from some of us in Application Security Center - especially our blogmeister Mark Painter), the report paints a stark picture of the vulnerability landscape.

 

The good news - and we'll take good news where we can find it - is that, though raw vulnerability numbers went up about 10% from 2009 to 2010, that number has largely stabilized over time. Development teams now at least know how to spell "SDLC", and this awareness has led to a plateau in vulnerability disclosure numbers - however, almost 8,000 vulnerabilities were disclosed last year, and attackers are making hay with existing vulnerabilities.

 

Not surprisingly, web application vulnerabilities constitute half of all reported vulnerabilities for 2010. 2010 saw increases in reported cross-site scripting and cross-site request forgery vulnerabilities. In order to corroborate and amplify this data, we in the Application Security Center took the next step to report results across a group of real scans of real applications. We found that a staggering 71% of these suffered from a cross site scripting, SQL injection, or command execution vulnerability. More than 60% of the assessed applications were subject to potential cross-site scripting attacks.  49% were susceptible to SQL injection or critical command execution exploits, and 22% were vulnerable to both cross-site scripting AND SQLi.

 

Other attack methods described and enumerated within the report include malicious botnets, PHP remote file includes, denial of service, and web exploit toolkits.

 

I highly recommend that you take time to digest the findings in this report: It's a good-but-sobering read that describes the choppy waters we must navigate each day.

 

 

 

Top Five Web Application Vulnerabilities 3/14/2010 - 4/3/2010

1) SAP Netweaver Multiple Cross-Site Scripting and HTML Injection Vulnerabilities

 

SAP Netweaver is susceptible to multiple vulnerabilities including Cross-Site Scripting and HTML Injection. Successful exploitation of these vulnerabilities could be used to alter how the site appears, steal authentication credentials, or execute malicious scripts in the browsers of unsuspecting users.  Updates which resolve these vulnerabilities are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/46853

 

2) SAP Crystal Reports Server Multiple Cross-Site Scripting Vulnerabilities

 

SAP Crystal Reports Server is susceptible to multiple instances of Cross-Site Scripting. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Patches which resolve these issues are available. Contact the vendor for further information.

 

http://www.securityfocus.com/bid/46855

 

3) Symantec LiveUpdate Administrator Management GUI HTML Injection Vulnerability

 

Symantec LiveUpdate Administrator  is susceptible to HTML Injection. HTML Injection is used to add content into a web server’s response, which can then be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. Updates which resolve this  vulnerability are available. Contact the vendor for additional details.

 

http://www.securityfocus.com/bid/46856

 

4) PHP 'phar/phar_object.c' Format String Vulnerability

 

PHP is susceptible to a format string vulnerability due to improper sanitization of user-supplied data. Attackers can leverage this vulnerability to execute arbitrary code in context of the PHP process, possibly allowing them to escalate privileges or bypass other security restrictions. Updates which resolve this vulnerability are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/46854

 

5) PHP-Nuke Multiple Vulnerabilities

 

PHP-Nuke is susceptible to multiple vulnerabilities including Cross-Site Scripting, Cross-Site Request Forgery, and SQL Injection. If exploited, these vulnerabilities could lead to compromise of the application, the theft of confidential information and authentication credentials, execution of malicious scripts in the browsers of unsuspecting users, or abuse of the trust a web application places in a user.   As of this writing, fixes have not yet been released. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/47002
http://www.securityfocus.com/bid/47001
http://www.securityfocus.com/bid/47000

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
Follow Us


HP Blog

HP Software Solutions Blog

Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation