HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: May 2010

Top Five Web Application Vulnerabilities 5/10/10 - 5/23/10

1) HP Insight Control Server Migration for Windows Cross-Site Scripting Vulnerability

 

HP Insight Control is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve this vulnerability are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/40112

 

2) Adobe ColdFusion Multiple Unspecified Cross-Site Scripting Vulnerabilities

 

Adobe ColdFusion is susceptible to multiple Cross-Site Scripting vulnerabilities. These vulnerabilities can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Updates which resolve these vulnerabilities are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/40073
http://www.securityfocus.com/bid/40074

 

3) IBM WebSphere Application Server Long Filename Information Disclosure Vulnerability

 

IBM WebSphere is susceptible to an information disclosure vulnerability. An attacker could exploit this vulnerability to access sensitive information which would likely aid in conducting more damaging attacks. Fixes which resolve this issue have been released. Contact the vendor for further information.

 

http://www.securityfocus.com/bid/40277

 

4) Apache Axis2 'engagingglobally' Cross-Site Scripting Vulnerability

 

Apache Axis2 is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage this issues to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. As of this writing, a fix has not yet been released. Contact the vendor for more details. 

 

http://www.securityfocus.com/bid/40327

 

5) Dell OpenManage 'file' Parameter URI Redirection Vulnerability

 

Dell OpenManage is susceptible to an open-redirection vulnerability due to a failure of the application to properly sanitize user-supplied input. Successful exploitation may aid in phishing or lead to other attacks. As of this writing, a fix has not yet been released. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/40247

 

 

 

 

HP’s updated Application Security Software takes aim at vulnerabilities

We are happy to announce the release of new versions of all HP Application Security Center products.  Focused on simplifying application security scanning, streamlining application security management and integrating deeply into your quality management process, the Assessment Management Platform 8.10, WebInspect 8.10 and QAInspect 8.00 releases bring exciting new functionality to your application security program.


Of course, we can’t cover all the details in this post, so here are some highlights for you:


HP Assessment Management Platform 8.10



  • Enterprise HP Quality Center integration allows you to incorporate your security team into the quality processes across your enterprise.

  • The new Scan Linkage Analyzer gives you a new way to understand your scan results  and quickly identify the specific locations of the application's vulnerabilities. 

  • The new Project based administration dramatically improves and simplifies the management of AMP users, roles and permissions based on the project a user is working on.


Request a demonstration of HP Assessment Management Platform to learn more.


WebInspect 8.10



  • WebInspect 8.10’s new Guided Scan Wizard focuses on the desired outcome of the scan, not the settings. This new feature eliminates the need for an in depth understanding of esoteric scan settings and reduces the level of required security knowledge to execute a successful scan.

  • Deeper AMP Integration allows you to configure and tailor complex scans in the desktop tool and then execute them using the distributed scanning engines of the HP Assessment Management Platform.

  • The new Workflow Driven and List Driven assessments give you added control and flexibility in executing your security scans by allowing you to test individual business processes and specific root URLs.


 Download a free trial of HP WebInspect to learn more.


QAInspect 8.00



  • New Workflow Driven tests which allow security testers to test for application vulnerabilities within the defined workflows of their business applications.

  • New Scan Viewer and Scan Diagnostics providing a much deeper insight into the progress of security tests.

  • Improved Quality Center Integration which tightly aligns QAInspect with the usage model of other Quality Center integrated testing tools.


Download a free trial of HP QAInspect to learn more.


These products are also now available through HP SmartUpdate.


 


 

Top Five Web Application Vulnerabilities 4/27/10 - 5/9/10

1) Microsoft SharePoint Server 2007 '_layouts/help.aspx' Cross-Site Scripting Vulnerability


Microsoft SharePoint Server 2007 and SharePoint Services 3.0 are susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. As of this writing, a vendor supplied solution has not yet been provided (although recommendations are available at http://randomchaos.us/2010/04/microsoft-issues-work-around-advice-for-sharepoint-zero-day.html .Contact the vendor for additional information.


http://www.securityfocus.com/bid/39776


2) HP Systems Insight Manager Multiple Vulnerabilities


HP Systems Insight Manager is susceptible to multiple vulnerabilities including Cross-Site Scripting, Cross-Site Request Forgery, and Privilege Escalation. Cross-Site Scripting can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Cross-Site Request Forgery leverages the trust a web application places in a user to make authenticated requests that appear completely legitimate, and can be used to abuse any type of functionality the web application contains. Finally, attackers who are authenticated can gain escalated privileges on the affected system. Updates which address these issues are available. Contact the vendor for further details.


http://www.securityfocus.com/bid/39736
http://www.securityfocus.com/bid/39735
http://www.securityfocus.com/bid/39734


3) Apache ActiveMQ 'admin/queueBrowse' Cross-Site Scripting Vulnerability


Apache ActiveMQ is susceptible to a Cross-Site Scripting vulnerability. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if this vulnerability is successfully exploited. Updates which resolve this vulnerability are available. Contact the vendor for more details.


http://www.securityfocus.com/bid/39771


4) VMware View Unspecified Cross-Site Scripting Vulnerability


VMware View is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage Cross-Site Scripting to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which resolve this vulnerability are available. Contact the vendor for additional information.


http://www.securityfocus.com/bid/39949


5) PHP-Nuke Multiple SQL Injection Vulnerabilities


PHP-Nuke is susceptible to multiple SQL Injection vulnerabilities. Successful exploitation could give an attacker the means to access or modify backend database contents, or in some circumstances be utilized to take control of the server hosting the database. As of this writing, a fix has not yet been released. Contact the vendor for further information.


http://www.securityfocus.com/bid/39922

Web application security still misunderstood

The numbers from a recent survey by the Ponemon Institute show that web application security is vastly underestimated as a threat and still misunderstood. It's amazing that in 2010 a full seventy percent of organizations don't consider application security a strategic initiative. It's not 1999 anymore, when the biggest application threat was defacement. Now, hackers pinpoint a hole in an application, and then leave behind malware that can completely compromise an entire network. It's not some kid in his basement anymore....attacks are organized, funded by criminal organizations, and pernicious. Network security might be better understood, and seemingly more 'real' to executives, but it's applications where the most attacks occur.


There is a disconnect between the acknowledgement of security issues and the willingness to fix them.  One likely reason organizations are so far unwilling to fix application vulnerabilities is the cost. According to the survey, thirty-eight percent estimate that it would take more than 20 hours of development time to fix just one bug. That's a tremendous amount of effort to fix one security defect, not even considering the impact to schedules and the cost in salary.


The real solution, of course, is to include security throughout the application development lifecycle. According to the National Institute of Standards and Technology (NIST), it is 6.5 times more expensive to fix a flaw in development than during design, 15 times more in testing, and 100 times more in development. Of course, that doesn't do anything to address vulnerabilities that already exist. But in the future, it's the only way these problems are ever going to be brought under control.


http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=224700250

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
Follow Us


HP Blog

HP Software Solutions Blog

Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation