HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Displaying articles for: September 2011

Healthcare organizations not ready for new security standards

A new wave of federal requirements set by the HITECH provisions of the American Recovery and Reinvestment Act  concerning the confidentiality of patient data and personal health information are getting ready to be implemented. Among provisions concerning new rules and fines for data breach disclosure, one new requirement is that healthcare organizations will now be mandated to conduct annual risks assessments. On top of that, the Office of Civil Rights (OCR) will soon begin auditing healthcare organizations to ensure compliance with the new HITECH rules.

 

So, are healthcare organizations getting ready for these changes? As of yet, not so much. A recent survey conducted by the HIMSS found that 53% weren't conducting annual risk assessments. 58% had no dedicated staff for security efforts. Half currently spend less than 3% of their organizational resources on security.

 

A lot of healthcare organizations can  be forgiven in that until just the past year HIPAA rules were rarely enforced. Things have changed, though. The move towards Electronic Health Records has necessitated that security concerns  be addressed (albeit after the fact and not in conjunction, but hey, one thing at a time). And as the new regulations actually have some teeth, the potential negative impact of doing no risk analysis whatsoever should help to spur organizations that deal with healthcare information into the fold. Now let's hope they know that.

Trust (but Verify) Your Software: Notes From the Fortify Software Security Assurance Summit

This past Monday, I was fortunate to participate in an HP Fortify-sponsored event, the SSA Summit, in Washington, DC.  Near (but discrete from) the much larger HP Protect 2011, the SSA Summit brought 85 security executives together to hear compelling content from industry thought leaders, and to ask questions and offer insights that can only be gleaned from people who wrestle with application security challenges each day.

 

What is SSA?



"Software Security Assurance" is, simply, the systematic process for ensuring an organization’s software can be secure. A comprehensive approach to SSA addresses risks from in-house development, outsourced projects, third-party commercial apps, and open source projects. Done correctly, SSA will instill secure development practices for creating new code and address the weaknesses already present in deployed applications. It includes elements of training, technology, vendor management, compliance, and metrics to track progress.

 

This programmatic approach to securing applications pulls in static application security testing (SAST), dynamic application security testing, run-time testing, and other technologies. As organizations adopt this mindset, they are less concerned about which discrete security widgets to buy; rather, they buy solutions to help them reach their overarching "secure-the-software-continuously-throughout-the-lifecycle" goal.

 

Summit Highlights



Rob Roy, HP Fortify's Federal CTO, kicked off the talks with some frightening statistics:

 

  • In 2010, 85% of enterprises reported one or more cyberattacks
  • There is a $7.2M average cost associated with an enterprise data breach
  • On average, public companies that have suffered data breaches have lost 30% on their market caps; and
  • It costs 3 cents an hour to rent Amazon's EC2 cloud-based computing service, providing a dirt-cheap anonymized platform for wrongdoing. Talk about asymmetrical warfare!

After Rob made everyone in the room change their underwear, Dr.Eugene Schultz, CTO of Emagined Security, took the floor. His presentation -"The Proliferation of High Profile Cyberattacks: Is There an End in Sight?" - was even more uplifting than Rob's presentation. Dr. Schultz cited the 2010/2011 FBI Computer Crime survey, which found that 87% of respondents had experienced malicious code infection, more than doubling the next-most experienced category, "successful phishing" (39%). He then provided a very entertaining review of computer crime history, dating all the way back to the 1950s, ending with today's wave of high-profile attacks.

 

Heartland Payment Systems' John South, the CISO whom Heartland hired following their catastrophic 2009 breach, then discussed that breach and other matters in "Evolution of Application Security: From Breach to Mobile Applications". The blow-by-blow case study of the breach - and Heartland's response - was gripping stuff. Heartland today uses a range of security techniques across the application lifecycle, including static analysis, dynamic analysis, and web application firewalls (WAFs) to shield production web app vulnerabilities that dynamic scanners find while the underlying code is being remediated.

 

Finally, South described Heartland's approach to mobile application security, an emerging concern that requires the organization to morph some of their security techniques across the same basic SDLC.

 

Following an interesting talk about "Social Media and the Potential of Cyber Security Attacks", we broke into our Executive Roundtables. I moderated one on the topic of "Selling Application Security within the Commercial Enterprise" I was lucky to have executives at my table from organizations with varying levels of application security, so their experiences were different. Their common denominator was that they were actively addressing the problem of SSA, which cannot be said of all organizations.They had each at least started down the path of setting up and communicating a systematized software security program, and they shared insights and best practices about communicating with developers, increasing their security awareness and getting buy-in; monitoring web application health in production; and integrating and enforcing security processes across the application lifecycle.This session was for me a great way to hear the struggles and successes of appsec-engaged enterprises.

 

A Snapshot from HP Protect



After the Summit ended Monday evening, I spent the next two days speaking with security practitioners from HP Protect, a gathering of ~2,000 infosec practitioners. Many of the organizations these folks came from view application security - if they consider it at all - as a way to get compliance checkmarks in PCI or SCADA. They may want to address appsec, but they see the problem as a matter of acquiring tools, not of changing processes across the application lifecycle.

 

The final day of the show, a customer conversation crystallized the difference for me. An HP security customer approached me about WebInspect, because he believed his approach to application security was insufficient. As a member of a 2 person (him and the CISO) infosec group in a 700 employee electric utility company, he has time to manage his firewalls and IPS, tune his SIEM, and run his network vulnerability tests. In his spare time, he runs episodic web app vulnerability tests using open source tools. His developers don't believe him some of the time when he finds vulnerabilities, and at that point it's very difficult to even pinpoint the problem, much less remediate it. I showed this customer WebInspect Real-Time, which finds a vulnerability and points back eventually to the line of code. His eyes lit up, and I got his contact information to continue discussions with him; however, this customer, as he sees the more extensive set of vulnerabilities he finds using our unsurpassed dynamic scanning approach, will see that he must do more than just buy tools. I hope that in two years he will be able to present a case study at the 2013 Fortify SSA Summit describing his organization's SSA transformation.

Now hiring - HP Application Security Center QA Engineer

Exciting security things are happening at HP. With the new alignment of enterprise security assets within HP (Application Security Center, Fortify, TippingPoint, Arcsight, etc.), there is huge potential for career opportunity and growth at HP for security professionals. Huge. One of the exciting results of this is that we are growing the HP Application Security Center (ASC) team  in Atlanta. We now have a QA Engineer position available in our Atlanta office. We are looking for applicants with an aptitude for breaking software in a creative fashion and an eagerness to learn new technologies. The requirements for this position follow: 

 

Job Requirments:

 

  • Thorough knowledge of the software life cycle, software quality assurance methods and testing, web servers and web programming languages.
  • Thorough understanding of system development methodologies, architectures, environments, technical/software specifications, technical manuals, programming languages and query tools.
  • A 4 year degree required.
  • A minimum of 5 years of experience is required.
  • Familiarity with web2.0, Web Services, and Rest.
  • Skilled at setting up testing environments.
  • Skilled at VMWare.
  • Skilled at using a defect tracking system such as Quality Center/Bugzilla.
  • Skilled at using proxies and a packet sniffer.
  • Skilled at using various Windows OS.

Required Abilities:

 

  • Able to execute a variety of rigorous tests within agreed timelines at various stages of project development.
  • Able to accurately classify and record the exact cause of each defect.
  • Able to work with limited supervision, and to take ownership of tasks and follow them through to completion.

Required Skills:

  • Strong attention to detail --  logical and structured when recording and documenting problems.
  • Skilled in developing good working relationships with colleagues.
  • Excellent written and verbal communication skills.
  • General knowledge of all aspects of the software engineering process.
  • Experience in a wide variety of testing efforts, techniques and tools.
  • People skills, especially diplomacy and advocacy skills.
  • Planning and management skills.
  • Experience in web development.
  • Experience in a variety of testing efforts.
  • Diagnostic and problem solving skills.
  • Broad knowledge of hardware and software and software installation and setup.

 

If you love testing products, are interested in security, and want to work with a dedicated, energetic, and fun team, this is your chance. For more information, contact Jags Kandasamy jags.kandasamy@hp.com.  

 

The 2011 Mid-Year Top Cyber Security Risks Report released

We are very pleased to announce the release of the 2011 Mid-Year Top Cyber Security Risks Report. This was a joint effort between HP DVLabs, Fortify on Demand, and the ASC Web Security Research Group. In addition, data from the Open Source Vulnerability Database (OVSB) was utilized to create a full picture of the current web application vulnerability landscape.

 

The primary objective of this edition of the Top Cyber Security Risks Report  was to clearly articulate the risks and weaknesses inherent in web applications. It also highlights the rising number of attacks that leverage the vulnerabilities discussed throughout the paper. If you're a security professional, it's a must read.

 

To view the report, click here.

 


 

The HP Web Security Research Group - now hiring a Sr. Web Security Researcher

Exciting security things are happening at HP. With the new critical mass of enterprise security assets within HP (Application Security Center, Fortify, TippingPoint, Arcsight, etc.), there is huge potential for career opportunity and growth at HP for security professionals. Huge. One of the exciting results of this new strategic focus on security is that we are committed to strengthening the HP Web Security Research Group (the group formerly known as SPI Labs) in Atlanta.

 

So, what are we looking for? Applicants with an aptitude for breaking stuff in a creative fashion and an eagerness to learn new technologies and implement ideas that will help advance existing web application security assessment methodologies. We want people that are passionate about security and willing to tackle challenging projects. We want people who are excited about investigating various web application frameworks and technologies for security defects and then producing solutions to detect those issues automatically. If you love security and want to work with a dedicated, energetic, and fun team, this is your chance.  

 

Here's some more details about what this position will entail: 

 

Responsibilities:

 

Product research :

  • Investigate and implement techniques for exploiting security vulnerabilities
  • Research new methods for automatic detection of vulnerabilities
  • Follow trends in software security and assess their significance

 Thought Leadership:

  • Present research ideas/outcomes at security/developer conferences
  • Blog and engage with press when required

 Vulnerability research:

  • Identify vulnerabilities in prominent enterprise web software and add product support to detect these issues.
  • Track advisories for known vulnerabilities in prominent enterprise applications and support automated detection. 
  • Perform frequent pen-tests/security assessments – Identify challenges with the existing assessment technologies and devise solutions to address them.
  • Support the development, sales and customer support teams. 

Qualifications:

 

  • BA/BS, MS or PhD in computer science, computer engineering or information security preferred but not required
  • Penetration Testing experience required
  • Familiarity with web application frameworks including ASP.NET, Java, PHP etc.
  • Familiarity with .NET development platform
  • Familiarity with web scanning technology (commercial or open-source)
  • Strong Communication Skills

 If you're interested, contact Iftach Ragoler for more information.

Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
Follow Us


HP Blog

HP Software Solutions Blog

Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation