HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: August 2011

3 Metrics For Determining Whether To Outsource Your Web Application Testing

websec

 

There's a seemingly timeless question within the halls of infosec departments worldwide: do we take on security testing ourselves, or do we find a vendor to do it for us?


The question is valid for a number of types of security testing, but there's a general trend worth noticing: as technologies come to be considered part of infrastructure rather than a series of one-off exceptions, the ability to bring testing in-house increases. As a case-in-point, network security used to be quite exotic and it was commonly outsourced, but these days it's often part of the woodwork, just like general networking infrastructure.

 

This is not so with application security, as it is not only a more recent problem but the problem itself is more slippery...

Top 10 Web Application Vulnerabilities 07/15/11 - 08/14/11

1) Cisco SA 500 Series Appliances Web Management Interface Remote Command Injection/SQL Injection Vulnerabilities

 

Cisco SA 500 series security appliances are susceptible to a Remote Command Injection and a SQL Injection vulnerability in the web management interface. The Remote Command Injection vulnerability be exploited to run arbitrary commands with root-level privileges on the operating system, while SQL Injection can give an attacker full access to a backend database, and in certain circumstances can be utilized to take complete control of a system. Both of these vulnerabilities require authentication to be successfully exploited. Updates which resolve these issues are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/48810
http://www.securityfocus.com/bid/48812

 

2) Oracle Secure Backup 'validate_login' Command Injection Remote Code Execution Vulnerability

 

Oracle Secure Backup is susceptible to a Remote Command Injection vulnerability.  Successful exploitation will give an attacker the means to execute arbitrary code in context of the web server process, while failed attempts will  likely result in a Denial-of-Service condition.  Updates which resolve this vulnerability are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/48752

 

3) SAP Netweaver Invoker Servlet Remote Code Execution Vulnerability

 

SAP Netweaver is susceptible to a Remote Code Execution vulnerability. An attacker can leverage this to execute arbitrary script code in context of the vulnerable application. Updates which resolve this issue are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/48925

 

4) Symantec Web Gateway Management GUI 'forget.php' SQL Injection Vulnerability

 

Symantec Web Gateway is susceptible to a SQL Injection vulnerability. Successful exploitation could give an attacker the means to access or modify backend database contents, or in some circumstances be utilized to take control of the server hosting the database. Updates which resolve this vulnerability are available. Contact the vendor for more details.

 

http://www.securityfocus.com/bid/48318

 

5) Oracle GlassFish Enterprise Server Multiple Input Validation Vulnerabilities 

 

Oracle GlassFish Enterprise Server is susceptible to multiple vulnerabilities including  Cross-Site Scripting and HTML Injection. Successful exploitation of these vulnerabilities could be used to alter how the site appears, steal authentication credentials, or execute malicious scripts in the browsers of unsuspecting users. Updates which resolve these vulnerabilities are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/48797

 

6) SAP Netweaver Information Disclosure/Cross-Site Scripting Vulnerabilities   

 

SAP Netweaver is susceptible to multiple vulnerabilities including Information Disclosure and Cross-Site Scripting. Successful exploitation would give an attacker unauthorized access to sensitive information,   the means to execute code in the browser of an unsuspecting user, and the ability to steal cookie-based authentication credentials. Updates which resolve these vulnerabilities are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/48718

 

7) HP Network Automation SQL Injection/Cross-Site Scripting Vulnerabilities

 

HP Network Automation is susceptible to SQL Injection and Cross-Site Scripting vulnerabilities. If exploited, these vulnerabilities could lead to compromise of the application, the theft of confidential information and authentication credentials, or execution of malicious scripts in the browsers of unsuspecting users. Updates which resolve these issues are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/48924
http://www.securityfocus.com/bid/48922

 

8) Symantec Endpoint Protection Cross- Site Request Forgery/Cross-Site Scripting Vulnerabilities

 

Symantec Endpoint Protection is susceptible to multiple vulnerabilities including Cross-Site Request Forgery and Cross-Site Scripting. If exploited, these vulnerabilities could lead to the theft of confidential information and authentication credentials, execution of malicious scripts in the browsers of unsuspecting users, or abuse of the trust a web application places in a user. Updates which resolve this vulnerability are available. Contact the vendor for further details.

 

http://www.securityfocus.com/bid/49101
http://www.securityfocus.com/bid/48231

 

9) Google Search Appliance  Cross-Site Scripting Vulnerability

 

Google Search Appliance is susceptible to a Cross-Site Scripting vulnerability. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if this vulnerability is successfully exploited. Updates which resolve this vulnerability are available. Contact the vendor for more information.

 

http://www.securityfocus.com/bid/48957

 

10) HP Arcsight Connector Appliance Cross-Site Scripting Vulnerability

 

HP Arcsight Connector Appliance is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve these vulnerabilities are available. Contact the vendor for additional information.

 

http://www.securityfocus.com/bid/48694

Cost of dealing with cyber crime increased 56% in one year

HP and the Ponemon Institute recently released the Annual Cost of Cyber Crime Study which showed that the upward trend in the costs of cybercrime continues unabated. In fact, the median cost of dealing with cybercrime rose 56% to $5.9 million in just one year. As if businesses didn't already have enough to contend with in this climate.

 

And don't expect these costs to go down anytime soon. We've already seen what data breaches can cost organizations. Dr. Ponemon said it best: "As the sophistication and frequency of cyber attacks increases, so too will the economic consequences."

 

In 2010, it took an organization an average of 14 days and $250,000 to recover from a cyber attack. In 2011, that's already increased to 18 days and $416,000. Factor in the costs associated with noncompliance with governmental regulations and notifying customers of data breaches, and you're staring at a whopping number.

 

If possible, an even more disconcerting statistic is that the surveyed organizations on average experienced 72 successful attacks per week. That was a 45% increase from 2010. And in this day and age, sometimes all it takes is one attack to compromise your system completely.

 

Organizations once again face a choice. Pay now by implementing Secure Development Lifecycle practices in your development organization, or pay later by getting hacked.

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog

Featured


Follow Us
Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.