HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Important Questions for Big Security Data

hp-HAVEn.jpgHAVEn is a big data toolbox; however, it’s what you can use it for that actually matters. This post asks a number of questions about how you can use big data to answer security questions that were never possible before. Using data to answer security questions instead of anecdotes is an important step forward for our industry. 

HP TippingPoint named a leader in Next-Gen Intrusion Prevention

ngips.jpgHP TippingPoint is pleased to announce our placement in the leader’s quadrant of the Intrusion Prevention System Magic Quadrant for the 9th consecutive year!

Tags: HP| security

Top questions to help you think like a cyber criminal

Screen Shot 2013-12-11 at 15.57.37.pngThese are questions I would like the answer to when evaluating a cyber criminal’s motivation, capability and likely, next-expected event. Thinking like a bad guy requires understanding them at a deeper level than just technology. This is a carry over from my last post on knowing your enemy. 

Tags: Defense| HP| security

Know Your Enemy – Not just what they are up to…

Screen Shot 2013-11-25 at 13.01.20.pngWhen you defend your enterprise you are defending against “someone” and WHO they are matters to HOW you best defend against them. What types of information can be useful to understanding your attackers?

Tags: Defense| HP| security

Security breach response time: Get it right, and save money

co3.pngThe longer it takes you to respond to a security breach, the more it will cost your organization.  Read on to learn more about an upcoming free webinar, that will explain how security monitoring can be integrated with incident response programs to reduce the cost of an attack.

Know Thyself – Cyber Defense Doctrine

Its time to open a conversation on effective defensive security doctrine. Let's take back the initiative from our opponents!

Tags: HP| security
Labels: appsec| ArcSight| ESM| HP| security

Getting to Know the OWASP ASVS

The Open Web Application Security Project OWASP is well known for its Top 10 list, and perhaps for its testing methodology as well, but comparitively few people are aware of its Application Security Verification Standard (ASVS) Project

 

OWASP ASVS

 

The ASVS, as the name alludes to, is a standard for verifying the security of applications as opposed to a methodology for testing them. This is not a distinction without a difference, but rather a key piece missing from many appsec efforts...

Tags: appsec| owasp| websec
Labels: appsec| asvs| OWASP| websec

Decoupling the 'False Positive'

There’s often a significant amount of debate between internal appsec groups and developer groups around the topic of false positives. What exactly determines whether something is or is not a true false positive? And how can appsec groups synchronize so as to reduce confusion on the topic?

 

Semantics lie at the center of many arguments, and the debate around “false positives” offers no exception. What I’ve found is that there are often two different meanings that are being used in a single discussion about false positives, and if each side doesn’t realize which definition the other is using, chaos will ensue. Here are the two definitions I most commonly encounter:

 

  1. The tool is claiming something that isn’t true, i.e. the vulnerability that it says it found actually was not found. One example of this might be the presence of a secretfile.aspx.bak file. The tool says it found the contents of this .aspx file, but when you look at the response you see that it’s no more than a custom 404 page.
  2. The finding is technically correct, but nobody cares, i.e. a finding comes back saying that a password value is being passed via GET request to a given application, and the issue has been fully explained to the development team and management; they’ve simply decided not to change it.

 

Let’s forget for a moment that development groups (or any IT group really) shouldn’t be “deciding” anything when it comes to risk. The point here is that they acknowledge that the claim made by the tool is accurate—they simply don’t think it’s important enough to call an issue or defect.

 

This distinction is critical when appsec groups are communicating with development groups and management. I recommend keeping the term “false positive” firmly nailed down to the concept of the tool being accurate in its claims, and insisting that another term be used for not believing the issue identified is worth addressing.

 

Language matters. Insisting that key terms like these are used both correctly and consistently will prevent excessively long and repetitive email threads over semantics which can result in increased pushback from development and management groups.

 

So, as a follow-up, what do you see being used as a term for the "ignored positives"? Accepted risks? Another coloquialism? Let me know in the comments. Also, feel free to reach out to me at daniel.miessler@hp.com.

Labels: appsec| infosec
Search
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
Follow Us


HP Blog

HP Software Solutions Blog

Labels
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation