HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: August 2012

Tip #1: Centralized approach – Unify security & IT operations

centralized approach.png

 

You can secure if you can “see” it. My tip #1 is to have a centralized approach where you see every log data from every log generating source. Since “seeing” everything means more machine data, you need right tools such as security and identity focused event correlation engine that helps you understand and analyze the risks in your IT. The last step is to take actions using the IT operations tools.

Top 10 tips for unifying security and IT operations

soc-noc collaboration.png

 

The emergence of Enterprise 2.0 with social, mobile, local, and cloud applications within the enterprise have increased IT operational challenges. Other trends such as bring your own device (BYOD) are adding new dimensions that are challenging for IT Operations due to diversified form, OS, vendors, etc.

 

Your customers and employees are demanding an open platform to facilitate better collaboration. However, your IT operations may not be in position to support Enterprise 2.0 or BYOD due to security challenges or resource constraints. So, how do you align your business requirements and IT resources, while keeping it secure? 

Getting to Know the OWASP ASVS

The Open Web Application Security Project OWASP is well known for its Top 10 list, and perhaps for its testing methodology as well, but comparitively few people are aware of its Application Security Verification Standard (ASVS) Project

 

OWASP ASVS

 

The ASVS, as the name alludes to, is a standard for verifying the security of applications as opposed to a methodology for testing them. This is not a distinction without a difference, but rather a key piece missing from many appsec efforts...

Tags: appsec| owasp| websec
Labels: appsec| asvs| OWASP| websec

WebInspect and Web Application Scanner Comparisons

IBM has been making some noise about their recent showing in Shay Chen’s web application scanner comparison study. While Shay’s results show a lot of things,  they don’t show that Appscan is a better solution.  Not by a long shot. 

 

For the sake of comparison, here’s how WebInspect ranked in different categories:

 

#1 – WIVET (Web Input Vector Extractor Teaser)  

#1 – Coverage features (tied)

#1 – Input Vectors (tied)

#1 – XSS (tied)

#2 – Audit Features Comparison

#2 – RFI

#4 – SQLi (the difference between 1st and 4th was .74%, and only included detections, not false positives. Otherwise, the results would have changed.)

 

The WIVET category is arguably the most important, and one that WebInspect won. If you can’t find a page, how can you test if for vulnerabilities?

 

What’s not included in Shay’s results are some scoring issues that helped us lose some points. In certain categories Shay used the WebInspect ‘All Checks’ policy to maintain consistency across all his tests. This unfortunately resulted in a number of false positives because certain checks that are included as a fail-safe mechanism do simple pattern matching as opposed to the more intelligent checks used in other WebInspect policies.  In other words, our ‘All Checks’ policy is the kitchen sink approach. We throw everything we can at an application, and some of that stuff isn’t necessarily pretty.  Our default scanning policy is the ‘Standard’ policy specifically for that reason. To his credit, Shay is fair in that he used the same criteria for every scanner. Here was his comment on the matter: 

 

“…the All Checks policy is not tagged as experimental and the consumer does not have any obvious leads that using it might affect the accuracy, and thus, I have no workaround for this issue.”

 

We can concede that point. We’d much rather Shay maintain a level playing field than change anything because we weren’t specific enough in our description.

 

It will be interesting to see the results of Shay’s next set of tests. We are most definitely looking forward to the competition. 

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
Follow Us


HP Blog

HP Software Solutions Blog

Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation