HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: July 2011

The costs of 5 high profile data breaches

I was working on a side project, and I kept running across some interesting statistics regarding the costs associated with some high profile data  breaches.  These include notifying customers and penalties for non-compliance, among other things. For instance, the RSA costs include replacing SecurID tokens. None of these numbers are final at this point, and probably won't be for years.

RSA: $400,000,000
CitiGroup: $2,700,000
Sony: potentially $24,000,000,000 (yikes!)
Epsilon: up to $4,000,000,000
Heartland Payment Systems:$140,000,000 


Here's some other interesting statistics that I've recently found:


Businesses:  90% suffered data breach during last year

Average Cost of 1 Customer Record Breach: $318 and climbing
Average Total Data Breach Costs: $7,200,000


So, what can organizations do to help lower these costs once the barn door has been left open and the horses are running free?  One solution that seems non-intuitive to a lot of companies is simply to take the time to do the proper forensics and only notify the customers whose data was actually accessed. Ultimately, getting it right the first time is both cheaper and more effective. 

Ain't No Party Like a Real-Time Party


Believe the Hype: WebInspect Real-Time Reinvents Dynamic Scanning


This is why I joined HP's software security team last fall - to help build and bring to market innovation that redefines web application security. With WebInspect Real-Time, HP has changed the game. 


In the decade since the first automated dynamic scanning tools climbed out of the primordial ooze, users have decried their deficiencies.They're not smart enough, we heard...too many things are missed, too many pages go uncrawled.  We recognized some time ago that It is no longer good enough just to fuzz an application without being aware of what's happening inside the software during runtime. To that end, we've inserted our own "eye on the inside,’’ runtime analysis provided by  SecurityScope. It’s implemented as an agent inside an application server.  WebInspect interacts with SecurityScope and uncovers every part of the application, leaving nothing untested.  And as one vulnerability is all it often takes to compromise an application and possibly the underlying system, complete coverage is essential.


 As Joseph Feiman, Gartner VP and application security expert says in the linked HP WebInspect Real-Time announcement., "Even when a vulnerability is detected, DAST (Dynamic Application Scanning Technology) cannot point to the specific line of source code where the vulnerability exists". WebInspect solves that problem with SecurityScope. It can point users toward the specific line-of-code vulnerabilities that WebInspect exploited, greatly reducing the time required to fix these issues.  


The SecurityScope-WebInspect communication provides us insight our competitors have begun talking about, but have been unable to introduce. Feiman calls this interaction between static/runtime analysis and dynamic security testing "integrated application security testing (IAST)."  Whatever the name, this is clearly the next generation of dynamic application vulnerability testing, allowing for wider market uptake earlier in the application lifecycle.


HP is a security company; with apologies to Coolio, there ain't no party like a real-time party.

Top Ten Web Application Vulnerabilities 6/6/2011 - 7/5/2011

1) IBM WebSphere Application Server Administration Console Cross-Site Request Forgery Vulnerability


IBM WebSphere Application Server  is susceptible to a Cross-Site Request Forgery vulnerability. Cross-Site Request Forgery relies on a browser to retrieve and execute an attack. It includes a link or script in a page that connects to a site that the user may have recently used. The script then conducts seemingly authorized yet malicious actions on the user’s behalf.  As of this writing a fix has not been released. Contact the vendor for more details.




2) SAP Netweaver Multiple Vulnerabilities


SAP Netweaver is susceptible to multiple vulnerabilities including Cross-Site Scripting, authentication bypass, and information disclosure. An attacker can leverage these vulnerabilities to execute arbitrary code in the browsers of unsuspecting users and gain unauthorized access.  Updates which resolve these vulnerabilities are available. Contact the vendor for additional information.


3) Adobe ColdFusion Cross-Site Request Forgery Vulnerability


Adobe ColdFusion is susceptible to a Cross-Site Request Forgery vulnerability.   Cross-Site Request Forgery leverages the trust a web application places in a user to make authenticated requests to a target site for which the user is logged in, and can be used to abuse any type of functionality the target web application contains. Updates which resolve this vulnerability are available. Contact the vendor for more information.


4) Ruby on Rails Multiple Cross-Site Scripting Filter Security Bypass Weaknesses


Ruby on Rails is susceptible to multiple instances of Cross-Site Scripting. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve these vulnerabilities are available. Contact the vendor for additional details.


5) IBM Rational Team Concert Multiple Cross-Site Scripting Vulnerabilities


IBM Rational Team Concert is susceptible to multiple Cross-Site Scripting vulnerabilities.  Cross-Site Scripting can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Updates which resolve these issues are available. Contact the vendor for further details.


6) Trend Micro Data Loss Prevention Directory Traversal Vulnerability


Trend Micro Data Loss Prevention is susceptible to a Directory Traversal vulnerability. Successful exploitation would give an attacker the means to  gain possible access to sensitive information or even completely compromise the affected system. As of this writing a fix has not yet been released. Contact the vendor for more information.



7) IBM Web Application Firewall Security Bypass Vulnerability


IBM Web Application Firewall is susceptible to a security bypass vulnerability that will give an attacker the means to bypass restrictions and perform unauthorized actions. As of this writing a fix has not yet been released. Contact the vendor for more information.


8) HP Service Manager and Service Center Multiple Vulnerabilities


HP Service Manager and Service Center are susceptible to multiple vulnerabilities including HTML Injection and Cross-Site Scripting. Successful exploitation of these vulnerabilities could be used to alter how the site appears, steal authentication credentials, or execute malicious scripts in the browsers of unsuspecting users. Updates which resolve these vulnerabilities are available. Contact the vendor for additional details.




9)  Fujitsu Accela BizSearch Cross-Site Scripting Vulnerability


Fujitsu Accela BizSearch  is susceptible to Cross-Site Scripting. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if this vulnerability is successfully exploited. An update which resolves this issue is available. Contact the vendor for more information.


10) IBM Tivoli Directory Server Log File Information Disclosure Vulnerability


IBM Tivoli Directory Server is susceptible to an information disclosure vulnerability. Attacks can leverage this vulnerability to gain access to information which will likely allow them to escalate their attack methodology.  Updates which resolve this issue are available. Contact the vendor for additional information.

Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.