HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Uncharted Territories: the personal-corporate-social-web-mashup

Corporate web communications have grown from simple web pages to massive and complex applications. The security department has mostly kept up and maintained a secure perimeter—even when that perimeter included outsourced and vendor systems. Contracts were in place, systems were secured, and life was good—even when the executives had their own blogs.


But just when everyone was getting comfortable again--enter the social web: MySpace, Twitter, and Facebook. People started using them and corporations followed.  Born of this are the corporate MySpace pages, Facebook groups, Facebook fan pages, management’s Twitter accounts, LinkedIn recruiting pages and more…


Did you see what happened there? No? It’s okay, neither did the security department.


So what was it? The customer contact point shifted from the corporate web environment to one controlled by a third-party.


Unlike most arrangements made with third-party vendors, this relationship is likely not covered by any type of contract, agreement or partnership. There is no guarantee for reliability, privacy, security or any type of regulatory controls. Your corporate users/administrators, as well as your customers, are bound by the third-party’s terms of service and policies, not yours, and you are also at their whim with regard to functionality and design.


These are no small issues when you consider the spider-web of laws, regulations and agencies that may cover many large businesses: Sarbanes-Oxley, HIPAA, GLB, etc. The security team, human resources and PR/brand all have a vested interest in keeping your sites and customer information secured, protected and private, and they just lost control of a key piece of the infrastructure.


This is not a completely theoretical risk. Looking at the news for the past few years, it’s easy to come up with examples that could have business, customer or employee impact. Even if no laws were violated or charges filed, in the internet age a negative story can spread like wildfire and damage brand.


Here are a few quick examples:


These are simply a few recent examples, but represent the tip of the iceberg. It’s hard to find news stories of confidential or proprietary corporate information posted to these sites, but you can safely bet it happens.


As marketing and PR types take a bigger interest in these channels to reach additional markets, and more and more users flock to these sites, the corporate presence there is going increase drastically.


So what should a company do? With regard to employees, here are a few suggestions:


  • Remind employees it is their responsibility to safeguard corporate and customer information.
  •  Incorporate messages about social networking into existing employee training and policies, and if applicable, give employees refresher courses.
  • Ensure employees realize the internet isn’t actually anonymous, and that they should behave ethically and in a manner that that doesn’t reflect poorly on themselves or the company.


If the company is creating an official presence on third-party web sites, some additional suggestions come to mind:


  • Determine the proper ownership for these channels—perhaps marketing or public relations—and establish a centralized point of contact.
  • Implement policies, guidelines and/or a code of ethics which clearly determine what information can and cannot be posted, and have a review procedure for anything questionable.
  • Implement policies/procedures for managing accounts and passwords to third-party systems, which include controls for changing passwords after employee attrition, choosing strong passwords, etc.
  • Implement procedures for monitoring the sites on a regular basis to ensure the messages, conversations and the brand “image” are appropriate (this can be contracted to other parties).
  • With the legal department, review the terms and conditions of the web site to look for potential pitfalls with regard to marketing through the site as well as ownership of uploaded content.
  • Thoroughly investigate privacy and security settings on the web site, and determine which should be enabled to best protect the company, customers and the user accounts.
  • If any relationship becomes mission critical or an important piece of the business, pursue contracts with the site operators which attempt to establish things like official support, uptime guarantees, additional security features, etc.   

These may all seem like daunting tasks, but any company with even a partially mature security department and polices should be able to integrate these types of changes fairly easily—in almost every case these are simply extensions, additions or clarifications to things already present in the corporate culture.


Given the immense popularity of these sites and their growth rates, the problem isn’t going away any time soon. Before the next wave of change comes to the internet, social networking policies and changes should be dealt with in a way that respects what employees do in their off-hours, protects the company and provides a new opportunity for corporate growth. The company that sticks its head in the sand may find itself in a nasty situation that could have been easily avoided with a little forethought.

Passive Scan Policy Available for Download via SmartUpdate

The HP Web Security Research Group has released a new policy geared towards "passive" scanning of an application. Passive scanning of an application means that no actual exploits will be attempted, making the assessment safe to perform against production servers. Vulnerabilities detected by this policy include issues of path disclosure, error messages, and others of a similar nature. To download the policy, simply click Smart Update in WebInspect.
Showing results for 
Search instead for 
Do you mean 
About the Author(s)
HP Blog

HP Software Solutions Blog


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.