HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: May 2011

HP Is Not the Death Star

I am putting myself to the fullest possible use, which is all I think that any conscious entity can ever hope to do.

 

-- HAL, "2001: A Space Odyssey"

______________________________________________

 

If you were somehow frozen in carbonite last summer and just now thawed, you would be shocked at how HP security looks today. HP is a security company. No, really. It's a brave new world. As you dreamt your frozen dreams, HP was acquiring such security juggernauts as Arcsight and Fortify, bolstering a security portfolio that already included SPI Dynamics and TippingPoint.  

 

Good things are happening. HP's TippingPoint was again named a leader in Gartner's network intrusion prevention system (IPS) magic quadrant in December 2010;  Fortify followed suit in the static application security testing (SAST) MQ - in addition - just this week - to winning two 2011 CODiE awards (Best Software Development Solution, and "Best Security Solution"). ArcSight and ASC WebInspect are also consistently evaluated as market and technology leaders.

 

But wait, you might reasonably say, you've seen Death Star-like IT vendors acquire high-flying security assets, then - through neglect and mismanagement -  turn them into space junk. What makes HP's approach over the last 9 months any different? It's easier, after all, to chase a comet than it is to use it once it's captured.

 

HP is different. It is turning away from the Dark Side, using The Force to integrate its assets for cosmic good.  From an Application Security Center perspective (as I've blogged before), WebInspect,  Fortify SCA, and Fortify's runtime analysis tool SecurityScope have combined to create Real-Time Hybrid Analysis, enabling security teams to discover vulnerability root cause as they observe attacks in real time. Subsequent near-term product releases across the application security portfolio will demonstrate further real-time integration innovation.

 

In addition, WebInspect is working closely with TippingPoint on a couple of fronts. WebInspect is powering TippingPoint's newly relaunched WebApp DV WAF-as-a-service offering, helping customers drive away them "WAF Always in Earthbound Learning Mode Blues". The Force is well in evidence here - over the past two months, I've spoken to HP sales teams and customers on 5 continents about the goodness of this service, as delivered by HP. Also, WebInspect was a key power source for the thruster's in HP Tipping Point's "2010 Top Cyber Security Risks" report - providing web application scan data to present a fuller view of the threat spectrum.

 

We are planning more coordinated efforts across the fleet in 2011, incorporating various technologies and delivery modes (The Force delivered from - and to - The Cloud? The mind reels!). Anyway, Admiral Ackbar can rest assured - HP security is NOT a trap.

New WebInspect Compliance Templates

We've recently added three new compliance templates to our suite of products. Simply SmartUpdate to download and install the new templates. A description of each follows:

 

  • DoD Application Security and Development STIG V3 R2: This compliance template will report on all applicable web application components of the Application Security and Development Security Technical Implementation Guide (STIG) Version 3, Release 1. The STIG provides security guidance for use throughout the application development lifecycle. Defense Information Systems Agency (DISA) encourages sites to use these guidelines as early as possible in the application development process.

 

  • SANS CWE Top 25: The 2010 CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical programming errors that can lead to serious software vulnerabilities. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all. This compliance template will report on all applicable web application components of this list.

 

  • WASC: This compliance template is based on the Web Application Security Consortium threat classes. The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. What's great about this compliance template is that when used in conjunction with the All Checks policy, you can generate a compliance report that includes each vulnerability check contained in SecureBase.

Cloud Security Still as Unpredictable as the Weather

Amid the frenzied adoption of all forms of cloud computing, there has been a disproportionate amount of noise produced by IT vendors scrambling for a piece of the action. Security vendors are certainly complicit, as most of them attached the word “cloud” to whatever they were selling and labeled it “cloud security” without actually providing it. Few of them are genuinely addressing the unique security issues presented by deploying applications to the cloud or adding any value to companies that are scrambling to understand the security risks involved. Everyone is instinctively convinced that there are increased security risks with moving to the cloud, but they’re difficult to identify and mitigate. In fact, several technology analysts have found that uncertainty over cloud security is the primary barrier to adoption or concern that companies have as they contemplate moving parts of their business to the cloud.

 

Last week the National Institute of Standards and Technology (NIST) began weighing in on the topic with a draft of its guidance for safely and effectively using cloud computing in any form – private, public or hybrid. This document –  NIST Special Publication 800-146: Cloud Computing Synopsis and Recommendations – lays out general definitions and use cases and ultimately tries to provide “guidelines and recommendations on how organizations should consider the relative opportunities and risks of cloud computing.” Overall, it’s a great description of many of the options and considerations for the various forms of cloud computing, but it leaves readers wanting more concrete actions they can  take to protect their applications in the cloud. Their basic conclusion is that you need all of the same security controls that you would put in place for a physical infrastructure; you just need them all in the cloud.

 

This statement sums up well their position on security guidance:

“A number of considerations affect security of data and processing conducted in a cloud. For example, the quality of a cloud's implementation, the attack surface of a cloud, the likely pool of attackers, system complexity, and the expertise level of cloud administrators are a few considerations that affect cloud system security. Unfortunately, none of these considerations is decisive regarding cloud security and there are no obvious answers when comparing cloud to non-cloud systems as to which is likely to be more secure in practice.”

 

In other words, “We’re pretty sure the cloud is less secure, so do what you would normally do to secure your systems. And then hope for the best.”

 

NIST is missing an opportunity to take a decisive stance on the only reliable way to secure cloud systems: secure the software that runs your applications before you ever think about deploying it to the cloud. Vigorously test for security during development. Repeatedly test for security before deployment. Understand and remediate the software code-level vulnerabilities while your application is in a controlled environment. Demand proof from your cloud provider that they are testing the infrastructure for security. Ask for proof from your cloud provider that the your neighbors in the cloud are also securing their software, because you’re at risk of being only as secure as the lowest common denominator whose carelessness could put the whole neighborhood at risk.

 

The NIST draft is definitely correct and informative in everything it points out as a serious security consideration, like the risks of multi-tenancy, failure of logical separation of resources, effective data protection and encryption, and business continuity. But it falls short of effective recommendations that organizations can act on. When it comes to the applications that you’re thinking of deploying to the cloud, if you invest the time in effort in software security assurance to harden your software, then you can more confidently move to the new limitless and elastic world of cloud computing.

Top Ten Web Application Vulnerabilities 5/2/2011 - 5/15/2011

1) Samsung Integrated Management System DMS SQL Injection Vulnerability

 

Samsung Integrated Management System DMS is susceptible to a SQL Injection vulnerability. Successful exploitation could give an attacker the means to access or modify backend database contents, or in some circumstances be utilized to take control of the server hosting the database.  Updates which resolve this vulnerability are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/47746

 

2) IBM Datacap Taskmaster Capture Unspecified SQL Injection Vulnerability

 

The Datacap Taskmaster Capture is susceptible to a SQL Injection vulnerability. SQL Injection can give an attacker full access to a backend database, and in certain circumstances can be utilized to take complete control of a system. Updates which resolve this issue are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/47848

 

3) HP Business Availability Center  Cross-Site Scripting Vulnerability

 

HP Business Availability Center is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve this issue are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/47846

 

4) VMware vCenter Server  Directory Traversal Vulnerability

 

VMware vCenter Server is susceptible to a Directory Traversal vulnerability. Successful exploitation would give an attacker the means to retrieve arbitrary files in context of the application. Information gained through these methods would likely lead to more damaging attacks. Updates which resolve this issue are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/47735

 

5) Apache Struts XWork 's:submit' HTML Tag Cross-Site Scripting Vulnerability

 

Apache Struts is susceptible to a  Cross-Site Scripting  vulnerability. Cross-Site Scripting can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Updates which resolve this issue have been released. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/47784

 

6) Oracle GlassFish Server Administration Console Remote Authentication Bypass Vulnerability

 

The Oracle GlassFish Server Administration Console is susceptible to a remote authentication bypass vulnerability which could allow an attacker to bypass authentication and perform unauthorized actions. Updates which resolve this issue are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/47818

 

7) WordPress '.phtml' Files Arbitrary File Upload Vulnerability

 

WordPress is susceptible to an Arbitrary File Upload vulnerability that can be exploited by an attacker to upload arbitrary files and run code in context of the webserver process. As of this writing, a fix has not yet been released. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/47709

 

8) Adobe RoboHelp Server and RoboHelp Cross-Site Scripting Vulnerability

 

Adobe RoboHelp Server and RoboHelp are susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage Cross-Site Scripting to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Patches which resolve this issue are available. Contact the vendor for further information.

 

http://www.securityfocus.com/bid/47839

 

9) Computer Associates eHealth Cross-Site Scripting Vulnerability

 

Computer Associates eHealth is susceptible to a Cross-Site Scripting vulnerability. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if this vulnerability is successfully exploited. Updates which resolve this issue are available. Contact the vendor for additional details.

 

http://www.securityfocus.com/bid/47795

 

10) Horde Security Bypass and HTML Injection Vulnerabilities

 

Horde is susceptible to HTML Injection and  security bypass vulnerabilities. HTML Injection is used to add content into a web server’s response, which can then be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. The security bypass issues can be exploited to perform unauthorized actions.  Updates which resolve these issues are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/47708

We're Starting a Conversation on Application Security Intelligence

We talk a lot on these pages about the sheer difficulty, and often apparent impossibility, of solving the problem of securing applications and the software that runs them. We evangelize the right approaches, instill the best methodologies and train people on the appropriate technologies to give us the best chance of securing our applications, yet we all know how often we collectively fail. In other words, we have to be right all the time, but the bad guys only have to be lucky once, as they say. As a result, we’ve begun to focus more on how to manage application security risk in context with the business through a concept known as application security intelligence, rather than spending inflinitely to blindly try to find and remediate every last vulnerability.

 

We’ve invited the brightest minds in application security to offer their thoughts on application security intelligence and its value in managing the threats that we face today. Join us for this Application Security Intelligence web summit on May 19th that includes the following presentations:

  • "Application Security Intelligence: Managing Application Risk" – Roger Thornton, CTO & Founder, Fortify Software, an HP company
  • "Optimizing Security in Software Development: Secure at the Source" – Derek Brink, VP & Research Fellow, Aberdeen Group
  • "Application Security Strategy in a Mobile World" – John South, CISO, Heartland Payment Systems
  • "Cloud Security and Its Impact on Application Security – Dennis Hurst, Founding Member, Cloud Security Alliance
  • "Addressing the Top 5 Web Application Security Threats – Dave Wichers, OWASP Board Member & COO, Aspect Security

View the full lineup and sign up to attend any or all presentations here. Please join us in the conversation about this new approach to treating risk in our applications.

Web Application Testing: Vulnerability Assessment vs. Penetration Test

Tiger.png

Few topics in the infosec world create as much heat as the classic "vulnerability assessment vs. penetration test" debate, and it's no different in the web application security space. Sadly, the discussion isn't usually around which is better. That would actually be an improvement. Instead the debate is usually semantic in nature, i.e. the flustered participants are usually disagreeing on what the terms actually mean. Step 1: agree on terms.

So, I'll be ambitious here and will tackle both subcomponents of the debate here: 1) what the terms actually mean, and 2) which is better for organizations to pursue.

Web Vulnerability Assessment vs. Web Penetration Test

 

It's worth stating explicitly that these two types of security test are in fact quite different. Many make the mistake of thinking that a penetration test is simply a vulnerability assessment with exploitation, or that a vulnerability assessment is a penetration test without exploitation. This is incorrect. If that were the case then we'd simply have one term that we'd qualify with "with or without exploitation".

 

A web application vulnerability assessment is fundamentally different from a penetration because its focus is on creating a list of as many findings as possible for a given web application. A penetration test, on the other hand, has a completely different purpose. Rather than yield a list of problems, a penetration test's focus is the achievement of a specific goal set by the customer, e.g. "dump the customer database", or "become an administrative user within the application". Also important to note is the fact that a penetration test is successful if and when the goal is acheived--not when a massive list of vulnerabilities is produced. That's what a vulnerability assessment is for.

 

Chain.png

 

Some are tempted to say that this is a goal-based penetration test. My question to them is simple: "As opposed to what other type?" Penetration testing is goal-based. That's its entire purpose. Even a customer direction as nebulous as "see what you can do" is absolutely a goal. It's an implicit goal of getting as far as you can given whatever constraints are in place.

 

The question of exploitation is another obstacle to clarity on this topic. Many have a simple binary switch for using the terms: "If there's exploitation it's a penetration test and if not it's a vulnerability assessment." Again, the key difference here is list-based vs. goal-based--not exploitation. It's possible do do (or not do) exploitation in both types of test. You can have a web vulnerability assessment where you are to exploit anything you find, and you can have a penetration test where you are asked to confirm that you can do something but not do it. Exploitation is an independent attribute that can be attached to either type of test.

 

When to Use One vs. the Other

 

Now that we see a distinction between terms, the next question is, "Which one is best?" Which should we be offering customers? As you may expect, the answer is that it depends on the customer and the project, but in my experience the answer will usually end up being a vulnerability assessment. Why? Because vulnerability assessments (getting a list of everything that needs fixing) is usually where most customers are in terms of maturity.

 

To tightly summarize:

 

VAPT.png

 

For questions or comments I can be reached at daniel.miessler@hp.com and on Twitter at @danielmiessler.::

Top Ten Web Application Vulnerabilities 4/18/2011 - 5/1/2011

1) PHP 'phar/tar.c' Heap Buffer Overflow Vulnerability

 

PHP is susceptible to a remote heap-based buffer overflow because it fails to adequately sanitize user-supplied input. Attackers can leverage this vulnerability to run arbitrary code in context of the PHP process, which may allow them to gain elevated privileges or bypass other security restrictions.  As of this writing a fix has not yet been released. Contact the vendor for additional information. 

 

http://www.securityfocus.com/bid/47545

 

2) HP ProLiant Support Pack Multiple Security Vulnerabilities

 

HP ProLiant Support Pack is susceptible to multiple vulnerabilities including Cross-Site Scripting, information disclosure, and URI Redirection.  An attacker could leverage these vulnerabilities to steal authentication credentials,  redirect users to malicious sites, or gain access to information which could help formulate more damaging attacks. Updates which resolve these issues are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/47510

 

3) HP Systems Insight Manager Cross-Site Scripting/Cross-Site Request Forgery

 

HP Systems Insight Manager is susceptible to multiple vulnerabilities including Cross-Site Scripting and Cross-Site Request Forgery. If exploited, these vulnerabilities could lead to the theft of confidential information and authentication credentials, execution of malicious scripts in the browsers of unsuspecting users, or abuse of the trust a web application places in a user. Updates which resolve these vulnerabilities are available. Contact the vendor for further information.

 

http://www.securityfocus.com/bid/47511
http://www.securityfocus.com/bid/47513

 

4) Cisco Unified Communications Manager  SQL Injection /Directory Traversal Vulnerabilities

 

Cisco Unified Communications Manager  is susceptible to several vulnerabilities including SQL Injection and Directory Traversal. SQL Injection can give an attacker full access to a backend database, and in certain circumstances can be utilized to take complete control of a system. An attacker can leverage Directory Traversal to write arbitrary files to locations outside of the application's current directory.  Updates which resolve these issues are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/47605
http://www.securityfocus.com/bid/47608

 

5) Oracle JD Edwards EnterpriseOne Multiple Cross-Site Scripting Vulnerabilities

 

Oracle JD Edwards EnterpriseOne  is susceptible to multiple Cross-Site Scripting vulnerabilities. Cross-Site Scripting can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Updates which resolve these vulnerabilities are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/47479

 

6) HP SiteScope Cross-Site Scripting/ HTML Injection Vulnerabilities

 

HP SiteScope is susceptible to Cross-Site Scripting and HTML Injection vulnerabilities. Successful exploitation of these vulnerabilities could be used to alter how the site appears, steal authentication credentials, or execute malicious scripts in the browsers of unsuspecting users. Updates which resolve these vulnerabilities are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/47554

 

7) RSA Data Loss Prevention (DLP) Enterprise Manager Cross-Site Scripting Vulnerability

 

RSA Data Loss Prevention (DLP) Enterprise Manager is susceptible to Cross-Site Scripting. An attacker can leverage Cross-Site Scripting to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which resolve this issue are available. Contact the vendor for additional details.

 

http://www.securityfocus.com/bid/47642

 

8) Oracle Sun GlassFish/Java System Application Server Remote Authentication Bypass Vulnerability

 

Oracle Sun GlassFish/Java System Application Server is susceptible to a remote authentication bypass vulnerability which could allow an attacker to bypass authentication and perform unauthorized actions. Updates which resolve this issue are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/47438

 

9) CA Arcot WebFort Versatile Authentication Server Cross-Site Scripting/URI Redirection Vulnerabilities

 

CA Arcot WebFort Versatile Authentication Server is susceptible to Cross-Site Scripting and URI Redirection vulnerabilities. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if Cross-Site Scripting  is successfully exploited.  Successful exploitation of the URI Redirection vulnerability could give an attacker the means to redirect users to malicious sites, aiding in phishing attacks.  Updates which resolve these issuse are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/47587
http://www.securityfocus.com/bid/47588

 

10) HP Insight Control Cross-Site Request Forgery

 

HP Insight Control is susceptible to Cross-Site Request Forgery. Cross-Site Request Forgery leverages the trust a web application places in a user to make authenticated requests to a target site for which the user is logged in, and can be used to abuse any type of functionality the target web application contains.  Updates which resolve this vulnerability are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/47524

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog

Featured


Follow Us
Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.