HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: April 2012

Today's Threats: Less Generalized, More Dangerous

Yesterday, HP Enterprise Security Products released our "2011 Top Cyber Security Risks" report. A joint offering from the security research labs fueling HP Enterprise Security, the report examines today's threat landscape along with new, pernicious attack methods that raise the overall cyber security risk level to a dangerous level.

 

Counter-intuitively, one tracking tool - the Open Source Vulnerability Database, wherein all publicly disclosed commercial application vulnerabilities are grouped - shows a slow decrease from 2006 in reported commercial application vulnerabilities, a decrease that accelerated in 2011. Saw a decline of 19.5% from 2010.

 

No one should be lulled into a false sense of complacency, however: This decline does NOT mean that we are suddenly safer; rather, it shows that vulnerability disclosure practices are changing, and that cybercriminals are concentrating on finding high-quality vulnerabilities commercial applications, and that custom web applications are proving - in some cases - to be a more fruitful attack vector.

 

Web applications - custom or commercial - are the attack vehicle of choice. In the OSVDB data, 4 of the top 6 vulnerabilities reported - cross-site scripting, SQL injection, remote file include, and cross-site request forgery - are exploitable exclusively through the web.

 

This makes perfect sense. As Dan Geer recently wrote in a spot-on metaphor, "application software is data's skin". Applications protect the valuable organs - important data.

 

To understand what's happening in custom web applications, HP Fortify's research group and professional services team analyzed about 5,000 sites and aggregated the results. The teams used three testing methods on subsets of those web apps: Dynamic, static, and manual.

 

The findings are illustrative and alarming. I'll summarize a few of the key ones here:

 

  • 52.35 percent were vulnerable to reflected cross-site scripting. Insecure communications vulnerabilities affected 66.87 percent of the applications..
  • 86.35 percent were vulnerable to injection flaws.
  • 93.87 percent were vulnerable to information leakage and improper error handling..
  • 87.74 percent were susceptible to insecure cryptographic storage.

Given the realities of the modern IT landscape, the information leakage problem is especially widespread and pernicious.

 

A majority of the mobile applications tested displayed information leakage behavior. The increasing demand for information from the mobile workforce - combined with the increasingly pervasive use of cloud services and a wave of unmanaged consumer devices on the corporate network - presents a huge challenge to many organizations. Crucial data is residing both inside and outside the enterprise, as well as in mobile devices.

 

And speaking of information leakage....

 

Some types of information leakage are more critical than others. During our manual testing, we found that 81% of tested applications exposed server type information. Not that big a deal, you say? How about this...64% of the applications with exposed server info also exposed version info. All of a sudden, hackers know which publicly-known vulnerabilities to attack.

 

But wait! There's more! In analyzing developer comments, we found that an astonishing 13% of applications encapsulated verbose stack trace messages inside HTML comments, some of which resulted in confirmed SQL injection attacks.

___________________________________________

 

There's much more in the report, including a look at Web 2.0, honeypot trends, the Blackhole exploit kit, and botnet stuff.

 

Spend time with our report, and benefit from the brains which power HP Enterprise security.

 

 

 

 

DirecTV and the Hogtied Remote

This post is a brief tale about my experience switching from Comcast cable services to DirecTV.  While I didn't anticipate anything security-centric coming out of my decision, amazingly, DirecTV found a way.  It all started with a short conversation with my installation technician.

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog

Featured


Follow Us
Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.