Web Applications / Services Security, Vulnerability Scanning, Enterprise Security Software: Cenzic

- Top Vulnerabilities

- Resources

- Alerts

- Disclosure Guidelines

- Library Updates

- Cenzic Newsletter

- White Paper Download

2005
March \| May
2006
June \| July \| August \| September \| October \| November \| December
2007
January \| February \| March \| April \| May \| June \| July \| August \| September \| October \| November \| December
2008
January \| February \| March

Web Application Security Newsletter -
August 2007

A MESSAGE FROM THE EDITOR- The number of poisoned Web sites continues to soar. According to a recent study, 30,000 Web pages are now infected daily, up from an estimated 5,000 pages per day earlier this year. The study sheds light on the critical issue of Web hosts and their need and responsibility to secure their servers. These numbers give us all the more reason to learn about building a stronger security program that involves the three key ingredients of people, processes, and technology. This year's Black Hat conference convened in Las Vegas with a kick-off speech by Tony Sager, NSA's Chief of Vulnerability Analysis and Operations Group in the Agency's Information Assurance Directorate. Sager stressed the importance of finding ways to communicate security concerns in plain English and in terms of business problems, across enterprise boundaries. Consumer advocacy groups are fighting the New Zealand Bankers Association Banking Code of Practice. Read about why consumers have come out swinging. Is the new Code on the heavy handed side or merely a sign of the times, possibly a future model for other financial institutions?

1. Black Hat 2007: NSA official stumps for information sharing

Speech offers a rare glimpse into Agency's vulnerability program
In his recent speech at Black Hat, NSA's Chief of Vulnerability Analysis and Operations Group stressed the importance of communicating security concerns and concepts across all business lines. Tony Sager points out that a long-time challenge for security professionals has been to reach beyond tech talk to all areas of the enterprise, to managers, buyers, and end-users. NSA is walking the talk with methods in place for sharing vulnerability information, reporting, and remediation. The Agency has developed a model of standards and tools to automate vulnerability management and assessment.

2. Make mashups secure

Tips for creating a secure strategy and platform
As lightweight Web applications, mashups can provide both agility and strategic value. Their risks, however, are real and must be understood and avoided. Customer or financial data can be compromised in a few seconds from a rogue mashup. Read about five mashup security strategies along with tips for rolling out a more secure platform

3. PCI compliance costs often underestimated, study finds

Best-in-class firms find ways to streamline costs
A recent study by the Aberdeen Group found that companies consistently underestimate the cost of compliance. "With respect to PCI compliance, in many cases it costs about 40% more than they estimated," according to the research firm's V.P. and Research Director. Many of the survey's best-in-class organizations have implemented ways to cut costs while achieving compliance with PCI requirements. The study notes that data encryption can be a pricy proposition. Aberdeen projects a rise in the number of qualified security assessors sought over the coming year as well as organizations seeking technology solutions in pursuit of compliance.

4. Poisoned Web sites soar sixfold, Sophos says

Now up to 30,000 infected Web pages daily
According to a recent threat report, the number of infected Web pages has soared since the first of the year, up to a staggering average of 30,000 newly infected pages daily. The report indicates that around 51% of the infected sites are on servers powered by Apache, the open-source Web server software. A recent example includes a series of June attacks that were launched from more than 10,000 legitimate Web sites, most hosted on Italian servers. The report sheds light on a critical issue: Web hosts must take necessary steps to secure their servers.

5. RISK MANAGEMENT STRATEGIES

Five steps to building information risk management frameworks
Strong security requires more than technology
Historical data indicates that most organizations invest a disproportionately high percentage of their security budget on technology; however, technology alone will likely fall short. From understanding and defining your unique risks and responsibilities to implementing a security metrics program, Forrester Research presents steps that all organizations can implement to lessen their business risks.

6. Consumer advocates to fight NZ Banking code

New code makes banking consumers liable for fraud-related losses
Two Internet advocacy groups have come out swinging over the New Zealand Bankers Association Banking Code of Practice. The new Code can hold Internet banking consumers liable for fraud-related losses. The Code's wording is such that consumers whose banking details are stolen could become liable for money stolen before they even notice the transaction. Consumer groups argue that the new Code if far too heavy handed and places too much responsibility on consumers and too little on the banks.


>	Datasheet: Hailstorm Enterprise ARC
>	Datasheet: Hailstorm Pro
>	Datasheet: Hailstorm Starter
>	Datasheet: Hailstorm Core
>	White Paper: Beyond Simple Vulnerabilities Scanning
>	White Paper: Cross Frame Scripting
>	White Paper: Cenzic Imperative Assessment Plan
>	White Paper: Enabling Security in the Software Development Lifecycle (PDF)