HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: June 2011

90% of organizations suffered at least one data breach during the past year

A recent survey discovered that a full 90% of organizations suffered at least one data breach during the past year.  Another 59% said that their networks had been compromised at least twice during that same time frame.  78% of the survey responders said that attacks are becoming harder to detect,  more difficult to prevent, occurring at a greater frequency, and  compounded by tight security budgets. Not surprisingly, confidence is low (at least for over a third of the respondents) that future breaches can be prevented.

So what's the problem?

 

While organizations might have a better understanding of the repercussions from a successful attack, they as yet aren't willing to pay what security actually costs. Almost all the respondents had 10 percent or less of their IT budgets devoted to security spending. In this day and age, devoting less than 10% of your IT budget to your security efforts is not exactly a recipe for success. One of the reasons security is expensive is because of the unbelievably high number of unique attack vectors that exist for each specific application, implementation, framework, and so on. When hackers only have to be right once, it's a daunting (and perhaps impossible) task to test (and secure) everything. It's not cheap, that's for sure. It's even harder when the wrong things are prioritized.

 

Another problem is the changed nature of hacking itself. One quote from Johnnie Konstantas of Juniper Networks (who sponsored this study) grabbed my attention: “We are seeing an uptick in hacking for profit and hacking for activism.” That's a succinct way of putting it. In a sense, organizations now face a battle on two virtual fronts. If you draw the unfortunate attention/wrath of a hacktivist group, it's likely every security hole you missed will be exploited. And they will be 'loud' attacks both intended to embarrass you and cause brand damage. Nobody is immune (not even security professionals). Criminal activity, on the other hand, is the opposite. These are 'quiet' attacks designed to go undetected. Criminals gain entrance, and then burrow in and steal as much information they can for as long as they can without being detected. Long story short, whether for profit or politics, current attacks only continue to grow in frequency and intensity, and are much more dangerous than those of even only five years ago.

 

So, there is a bit of a double edged sword in play. Security serves to mitigate risk, not prevent it entirely. Yet, organizations who shell out big bucks want more guarantees than not even when attacks and their damagees are only increasing. And of course, the real solution, for both cost and effectiveness, is to build security in from the beginning. It's cheaper, and it works better than anything else. Simply slapping new applications on top of insecure systems doesn't solve anything. Unfortunately, where we need to be doesn't seem to be where we're at. 

 

Now Hiring: HP Application Security Center - Java Expert

HP is in search of a full-time Software Engineer who is available to begin quickly. HP provides software and services to help enterprises protect against the loss of confidential data through the web application layer. The company's flagship product line, WebInspect, assesses the security of an organization's applications and web services, the most vulnerable yet least secure IT infrastructure component. Software developers, quality assurance professionals, corporate security auditors and security practitioners use WebInspect products throughout the application lifecycle to identify security vulnerabilities that would otherwise go undetected by traditional measures such as automated application testing tools, network firewalls, intrusion detection systems, or manual code reviews.

 

The unique candidate is someone who is interested in a career in Software Engineering to create commercial-grade, component-based, and enterprise applications. The ideal candidate must thrive on a fast-paced, hard-working development team and have a passion for keeping up to date on the latest technologies. For this position, three years of experience is preferred, but not required. However, the candidate must have a BS in Computer Science or the equivalent combination of education and experience and must be eager to build a career in computer programming. 

 

Qualifications/Technical Requirements:

 

  • Bachelor's Degree in Computer Science or related field of study, or equivalent combination of education and experience.
  • Knowledge of Object-oriented programming.
    Knowledge of Java, J2EE, Spring, Hibernate, Flex
  • Knowledge of relational databases and SQL (experience with SQL Server preferred).
  • Familiarity with client-side web technologies (Flex, JavaScript, AJAX, HTML, XML) strongly desired
  • Exposure to web application security is a big plus.
  • Experience with Web Services and XML knowledge is a plus
  • Strong communication skills, both written and verbal.
  • Independent, self-motivated worker requiring little supervision.
  • Strong problem solving skills. 

Notes:

 

  • At least three years of experience
  • Preference for someone who understands web security.  Doesn’t need to be researcher, but one who understands web vulnerabilities so they can optimize and improve scanning & detection.
  • Must be very capable coder
  • Enterprise level product development is a plus
  • Clear areas of ownership and in-depth understanding of past work.
  • Must be located in the Atlanta, GA area or willing to relocate to the Atlanta area

 

 

 For more information, contact Iftach Ragoler, or click here to apply online.

Now Hiring: HP Application Security Center – C# Expert

HP is in search of a full-time Software Engineer who is available to begin quickly. HP provides software and services to help enterprises protect against the loss of confidential data through the web application layer. The company's flagship product line, WebInspect, assesses the security of an organization's applications and web services, the most vulnerable yet least secure IT infrastructure component. Software developers, quality assurance professionals, corporate security auditors and security practitioners use WebInspect products throughout the application lifecycle to identify security vulnerabilities that would otherwise go undetected by traditional measures such as automated application testing tools, network firewalls, intrusion detection systems, or manual code reviews.

 

The unique candidate is someone who is interested in a career in Software Engineering to create commercial-grade, component-based, and enterprise applications. The ideal candidate must thrive on a fast-paced, hard-working development team and have a passion for keeping up to date on the latest technologies. For this position, three years of experience is preferred, but not required. However, the candidate must have a BS in Computer Science or the equivalent combination of education and experience and must be eager to build a career in computer programming.

 

Qualifications/Technical Requirements:

 

  • Bachelor's Degree in Computer Science or related field of study, or equivalent combination of education and experience.
  • Knowledge of Microsoft environments (.Net, Windows 2003, Windows XP, IIS)
  • Knowledge of Object-oriented programming.
    Knowledge of C#/.NET
  • Knowledge of relational databases and SQL (experience with SQL Server preferred).
  • Experience in developing multi-threaded applications is a big plus.
  • Familiarity with client-side web technologies (Flex, JavaScript, AJAX, HTML, XML) strongly desired
  • Working knowledge of web protocols and technologies is a big plus.
  • Exposure to web application security is a big plus.
  • Strong communication skills, both written and verbal.
  • Independent, self-motivated worker requiring little supervision.
  • Strong problem solving skills. 

Notes:

 

  • Junior is OK, but would prefer 3 or so years of experience.  If junior, must be a star from good school
  • Strong preference for someone who understands web security.  Doesn’t need to be researcher, but one who understands web vulnerabilities so they can optimize and improve scanning & detection.
  • Must be very capable coder
  • Enterprise level product development is a plus
  • Clear areas of ownership and in-depth understanding of past work.
  • Must be located in the Atlanta, GA area or willing to relocate to the Atlanta area

 

 For more information, contact Iftach Ragoler, or click here to apply online.

 

Cyber-crime and cyber-terrorism are both threats

During his recent Secretary of Defense confirmation testimony, current head of the CIA Leon Panetta offered that the next "Pearl Harbor" could very well take the form of a cyber-attack. He surprisingly, at least to me, got some serious flack for making that statement. Sure, at the present moment cyber-crime seems to be a much greater risk than cyber-terrorism. But long-term, the odds are that at some point a rogue nation or terrorist group will find a way to cause casualties or otherwise wreak havoc via a cyber-attack.

 

Here are the way certain things seem to be now:

 

  • No system that is connected to the Internet can ever be said to be 100% secure. It's the unfortunate nature of the beast.

 

 

  • When you place new applications on top of underlying systems that are insecure, then no part of it is secure. We've already seen this with Electronic Health Records

 

  • Even for critical infrastructure, organizations and governments alike too often tend to take shortcuts to save both time and money. If we only learned one thing from the tragedy at Fukushima, it's that "it" absolutely can happen to you.

 

  • Security through obscurity doesn't work.  

Nation states are actively involved in cyber espionage and attacks. That is only going to grow in intensity. Stuxnet absolutely matters in this context. So do the attacks against Lockheed Martin. For that matter, so do the attacks against the White House. So do the attacks against Congress. So do the attacks against the CIA. So do the attacks against the IMF.  They're targets for a reason. Nuclear plants, the 'smart energy' grid, chemical plants...of course they’re targets. And it's not like we're exactly keeping pace.

 

I don't think of myself as either a Cassandra or a Chicken Little...or even cynical, for that matter. I still bank online, even though Brian Krebs scares the hell out of me every time I do. But it's a logical fallacy to think that just because cyber-crime is growing faster than attacks against infrastructure that a successful infrastructure attack is never going to happen. There is a lot of noise, but there are also real threats. For certain, a successful infrastructure attack will be an order of complexity harder than committing cyber-crime, especially when organizations are still having a hard time understanding application security. But that doesn't mean it will never happen. And for certain misguided zealots, the rewards of a successful attack will be far greater than monetary.

HP Security Is Living Large @Gartner Security & Risk Management Summit Next Week

HP is still not the Death Star; next week, however, HP Security will be well-represented as a Platinum Sponsor at Gartner's Security & Risk Management Summit in National Harbor, MD (across the harbor from DC).

 

HP Security's theme for the show is "Protect the Instant-On Enterprise."

 

On Tuesday, June 21st at 9:30 am, several HP security luminaries (including Fortify co-founder Roger Thornton) will be holding a panel discussion along with Heartland Payment Systems CISO John South, entitled "HP: Implementing and Leveraging Security Intelligence".

 

HP will have an impressive booth with demos showing HP's public sector-focused "Assured Identity Plus" solution, an HP Tipping Point intrusion prevention system (IPS) demo, and a demonstration of security intelligence integration between HP Fortify, TippingPoint, and ArcSight.

 

In addition, I will be there, attending sessions (and blogging/tweeting about them). I also aim to meet with as many of you as possible - readers; existing, former and prospective customers; and potential channel/technology partners.

 

If you want to set up a meeting, please send me a message at adam.hils@hp.com.

Top 10 Web Application Vulnerabilities 5/16/2011 - 6/5/2011

1) PHP 'socket_connect()' Function Stack Buffer Overflow Vulnerability

 

PHP is susceptible to a Buffer Overflow vulnerability. This issue can be leveraged to give an attacker the means to execute arbitrary machine code in context of the PHP process, with even failed attempts likely causing the web server to crash. Updates which resolve this issue are available. Contact the vendor for additional details.

 

http://www.securityfocus.com/bid/47950

 

2) Cisco RVS4000/WRVS4400N Web Management Interface Remote Command Injection/Information Disclosure Vulnerabilities

 

Cisco RVS4000/WRVS4400N Web Management Interface is susceptible to multiple remote vulnerabilities including command injection and information disclosure. The Command Injection vulnerability can be exploited by authenticated attackers to execute arbitrary commands with root-level privileges on the affected system. The Information Disclosure vulnerabilities can reveal sensitive information which would likely be useful in crafting more damaging attacks.  Updates which resolve these issues are available. Contact the vendor for further information.
 
http://www.securityfocus.com/bid/47984
http://www.securityfocus.com/bid/47985
http://www.securityfocus.com/bid/47988

 

3) Cisco Unified Operations Manager Multiple SQL Injection /Cross-Site Scripting Vulnerabilities

 

Cisco Unified Operations Manager is susceptible to multiple SQL Injection and Cross-Site Scripting vulnerabilities. If exploited, these vulnerabilities could lead to compromise of the application, the theft of confidential information and authentication credentials, or execution of malicious scripts in the browsers of unsuspecting users. Updates which resolve these issues are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/47898
http://www.securityfocus.com/bid/47901
http://www.securityfocus.com/bid/47903

 

4) IBM WebSphere Portal Search Center Cross-Site Scripting Vulnerability

 

IBM WebSphere Portal Search Center is susceptible to a Cross-Site Scripting vulnerability.  If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve this issue are available. Contact the vendor for additional details.

 

http://www.securityfocus.com/bid/47954

 

5) Imperva SecureSphere SQL Query Filter Security Bypass Vulnerability

 

Imperva SecureSphere is susceptible to a security bypass vulnerability that will allow an attacker to exploit SQL Injection vulnerabilities. Successful exploitation could give an attacker the means to access or modify backend database contents, or in some circumstances be utilized to take control of the server hosting the database.  This issue has been reported as resolved. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/47780

 

6) Apache Archiva  Cross-Site Request Forgery/Cross-Site Scripting/HTML Injection Vulnerabilities

 

Apache Archiva is susceptible to multiple instances of Cross-Site Request Forgery, Cross-Site Scripting, and HTML Injection. Cross-Site Request Forgery leverages the trust a web application places in a user to make authenticated requests to a target site for which the user is logged in, and can be used to abuse any type of functionality the target web application contains.  Successful exploitation of Cross-Site Scripting and HTML Injection  could be used to alter how the site appears, steal authentication credentials, or execute malicious scripts in the browsers of unsuspecting users. Updates which resolve these issues are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/48015
http://www.securityfocus.com/bid/48011

 

7) CiscoWorks Common Services Framework Help Servlet Cross-Site Scripting Vulnerability

 

CiscoWorks Common Services is susceptible to a Cross-Site Scripting vulnerability. Cross-Site Scripting can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Updates which resolve this issue are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/47902

 

8) Apache Struts 'javatemplates' Plugin Multiple Cross-Site Scripting Vulnerabilities

 

The Apache Struts 'javatemplates' plugin is susceptible to multiple instances of Cross-Site Scripting. An attacker can leverage Cross-Site Scripting to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks.  Updates which resolve these vulnerabilities are available. Contact the vendor for further information.

 

http://www.securityfocus.com/bid/47890

 

9) Moodle Prior to 1.9.12/2.0.3 Multiple Security Vulnerabilities

 

Moodle is susceptible to multiple vulnerabilities including Cross-Site Scripting, issues of security bypass, and information disclosure.  Attackers can leverage these issues to bypass certain security restrictions, gain access to sensitive information, and execute arbitrary code in context of the affected site in the browsers of unsuspecting users.  Updates which resolve these issues are available. Contact the vendor for additional information. 

 

http://www.securityfocus.com/bid/47920

 

10) Apache Tomcat SecurityConstraints Security Bypass Vulnerability

 

Apache Tomcat is susceptible to a security bypass vulnerability that will allow an attacker to gain access to sensitive information which could lead to more damaging attacks. Updates which resolve this vulnerability have been released. Contact the vendor for more information.
 
http://www.securityfocus.com/bid/47886

Rush to digitize medical records a bad prescription for security

A recent government audit of seven hospitals found over 150 security vulnerabilities in their online medical records. While there's no question that better communication between health care professionals is a good thing and will ultimately serve to improve patient care and lower costs, the rush to computerize medical records has also had some ugly unintended security consequences. The problem is that the underlying systems themselves are not secure. And while some standards for transmitting personal health information have been enacted, corresponding general security guidelines for the underlying systems on which those transport mechanisms are layered have not been issued.

 

There are lot of mandates and incentives to make sure medical records become available online. By 2015, all healthcare facilities face a deadline set by the U.S. Department of Health and Human Services (HHS) to utilize Electronic Health Records (EHR's). Organizations that don't adopt EHR's face diminishing Medicare payments, among other punitive measures.  Another driving force is that the penalties for data breaches have risen dramatically (and probably will more). The final rules governing HIPAA privacy and security safeguards that were mandated by the HITECH act should be enacted by the end of the year, and will provide more guidance concerning breaches of EHR's. The teeth are already in place, though. One recent violator of HIPAA privacy safeguards was penalized $4.3 million.

 

Further compounding the issue, illicit medical data has become an increasingly attractive target because it normally contains such key personal identifiers as names, dates of birth, Social Security numbers, and of course medical information. These can be used in all the normal methods, but can also be used to submit fake Medicare bills, among other things. Hackers are already coming for this data. One additional avenue of access that is being considered is for patients to be able to request their medical records in the format of their choice, and if that's not available, then the default will be to give them direct electronic access to that information.  It doesn’t take a genius to figure out that will be a favorite and likely lucrative attack target.

 

In the best of times, security is hard to get right. In mandating the adoption of EHR's while increasing the fines for data breaches but without providing proper security guidance, the government has really created a potential disaster for health care providers. It's almost a case of physician, heal thy own network. It’s too bad that an ounce of prevention is worth a pound of cure wasn't baked into this process.

New HP Software community to help tackle cloud security and more

In a recent CIO.com and IDG survey on cloud computing, security was ranked as the biggest cloud computing barrier by far, with 71% of enterprises placing security among their top three concerns.  As with many early-stage architectural transformations (Web, SOA, etc.), the definitions and requirements of cloud computing are in flux. So, there is some confusion about cloud security risks and best practices.  However, there are some standard cloud implementation models that are used today. Each model presents unique security challenges.

 

On June 6, HP Software launches a new community, Discover Performance, developed for IT executives with content specifically designed for security professionals. Members will get the following benefits:

  • Ability to share security best practices and lessons learned with other security professionals
  • Exclusive access to expert advice and opinion from security analysts, thought leaders and peers
  • Inflexion, a bi-monthly online publication
  • Invitations to exclusive webinars and local events  

In fact, the inaugural edition of Inflexion includes a special article (Part one in a series) with focus on security for the cloud. This article analyzes the common models for adopting cloud services and explores high-level security concerns around each.  Be the first to learn about these key concerns and how to address them.  Join the community and receive the first edition of Inflexion.

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog

Featured


Follow Us
Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.