Web Application Security Newsletter -
April 2007
A MESSAGE FROM THE EDITOR- Education and the need for raising awareness run central throughout our
featured articles this month. Despite an ongoing and increasing number of high
profile breaches, a recent study reveals that many managers find themselves
severely limited by tight budgets when it comes to performing regular testing
for vulnerabilities. It was also found that some managers’ perceptions of the
value of testing have dropped since 2005, which seems ironic in these times of
increasing attacks and threats. Another study indicates a lack of awareness
that traditional network firewalls do not protect web applications from attack.
An appropriate segue, we present an article that looks at the hard numbers
concerning costs of data breaches down to the customer record level. On the
positive side, SANS Institute announced a new exam program designed to ensure
that programmers practice secure coding techniques. The program will offer the
option for certification. Finally, we announce the launch of our new 20/20
program, designed to give you much enhanced visibility into your web
application security. We invite you to participate.
1. Tired of poor visibility with your current application security system?
Achieve real application security now through Cenzic’s new 20/20 Program.
If you have had enough of application insecurity with SPI Dynamics, Watchfire
and WhiteHat, our 20/20 Program is for you. For any application you thought you
secured with SPI Dynamic, Watchfire or WhiteHat products, if Cenzic is able to
find 20% more actual vulnerabilities with 20% less false positives, you’ll
receive a 50% credit off the original amount you already invested in the other
products toward any Cenzic solution up to $20,000. If we don’t, you’ll receive
a free Cenzic solution. Either way you’ll win by achieving real application
security with Cenzic’s premium coverage. For 20/20 vision into your application
security, simply complete this form now!
2. SANS: New exam program about more secure code
SANS announced a new exam program designed to ensure that programmers practice
secure coding techniques. Billed as the first of its kind to test for secure
coding skills, the program will also offer the option of gaining GIAC Secure
Software Program status. The Institute’s research director said that exams are
necessary because programmers are not traditionally taught secure coding. As
criminals increasingly target vulnerable applications, secure coding skills
have grown in demand. The program will offer four examinations, each covering a
specific language.
Read
More
3. Web 2.0 Apps: A Pandora’s Box of Risk
Hosted collaboration tools such as Google Apps, ThinkFree Office, and others
are growing in popularity as alternatives to MS Office. Such
software-as-a-service tools, however, have few, if any, security guarantees.
Although faster and easier to use, little thought is given to reliability or
security risks. A Gartner analyst warns that there is no guaranty of security
on back-end servers where sensitive data might reside.
Read
More
4. Tight Budgets, Small Staffs Hinder Penetration Tests
A recent study by BT INS consulting firm has found that although ninety-five
percent of IT managers believe their networks will be hacked this year, limited
resources keep many from testing their networks for vulnerabilities. If tests
are done, they are conducted irregularly. Also, managers’ perceptions of the
value of penetration testing have dropped since 2005. Security professionals
are urged to emphasize to management the business consequences of a breach or
break-in.
Read
More
5. Most websites are open to attack
According to a Forrester Research study, most enterprises are not aware that
traditional network firewalls cannot protect against application-layer attacks.
This lack of awareness can prove harmful since web applications are prone to
weaknesses. The study points out that awareness of web application threats may
grow as businesses come into compliance with Payment Card Industry Standards
where web application firewalls are one of two options required to protect
against web application attacks.
Read
More
6. The cost of data breaches: Looking at the hard numbers
Khalid Kark
The financial fallout from data breaches has been estimated at anywhere from
$167,000 to $4.8 million per breach. A recent Forrester survey found that 25%
of respondents either do not know or do not know how to determine the cost of a
breach. One analyst looks at how businesses are impacted along with associated
costs down to the individual cost per customer.
Read
More
|
