Web Applications / Services Security, Vulnerability Scanning, Enterprise Security Software: Cenzic

- Top Vulnerabilities

- Resources

- Alerts

- Disclosure Guidelines

- Library Updates

- Cenzic Newsletter

- White Paper Download

2005
March \| May
2006
June \| July \| August \| September \| October \| November \| December
2007
January \| February \| March \| April \| May \| June \| July \| August \| September \| October \| November \| December
2008
January \| February \| March

Web Application Security Newsletter -
February 2007

A MESSAGE FROM THE EDITOR - This month we feature a blend of tips, tools, news about fallout from a major data heist, opinions, and more. We again visit OWASP's Top Ten in Part 1 of a series designed to explore how these recommendations can be practically integrated throughout the Software Development Lifecycle. We are pleased to announce that Borland has integrated Cenzic's Hailstorm into their Gauntlet system as a plug-in option to test for security vulnerabilities. Two articles this month address PHP security holes. According to some sources, the popular programming language can be like low-hanging fruit to malicious attackers. Its ease of use can make PHP-coded applications equally easy to attack. Also writer Ira Winkler weighs in on the need for a major shift away from reactive measures to proactive processes for ISPs and others when it comes to the law and computer security.

1. Lock it down: Use the OWASP Top Ten to secure your Web applications - Part 1

As businesses rely increasingly on Web applications, the risk associated with improper coding practices leaves businesses and their customers increasingly vulnerable. This article is the first in a series that will explore OWASP's Top Ten recommendations and how they can be integrated into your Software Development Lifecycle. The OWASP Top Ten has been used by the FTC and others as a guide in determining how organizations can better safeguard customer information. The OWASP Top Ten represents collaboration amongst a large number of service providers and end-users and identifies the most critical Web application security issues that businesses encounter.

2. Borland integrates Cenzic application security tool with Gauntlet

Developers who use Borland's Gauntlet will now have Cenzic's Hailstorm available for application security testing throughout the Software Development Lifecycle. Gauntletª is a continuous integration system that improves visibility, software quality and developer productivity by proactively building and testing code, isolating defects, and reporting on key development metrics. Users now have the option of using Hailstorm as a plug-in to automatically test for security vulnerabilities and report issues through the Gauntlet dashboard. To download a 30-day free trial of Gauntlet and a 60-day free trial of Hailstorm, visit Borland's Web site

3. Watch out for PHP holes

During the first half of 2006, desktop filtering software maker Websense counted a 100 percent increase in Web sites that contained potentially vulnerable code. A large percentage of the sites they tallied were hacked by outsiders. A Network Abuse Manager with popular Web site hosting company GoDaddy.com believes that at least half of the hacks involved poorly written code developed in easy-to-use PHP. Read about why PHP is like low-hanging fruit to attackers and how you can bolster your Web applications.

4. Fraud linked to TJX data heist spreads

Recently giant retailer TJX announced that it had been the target of an unauthorized intrusion into its computer systems that store customer transaction information. Subsequently, fraudulent activity believed to be linked to the TJX data heist is suspected in the United States, Canada, Hong Kong, and Sweden. In Vermont alone, one bank had to reissue cards to 1,600 customers due to the compromise. The cost of cleaning up such a breach is staggering, and much of the cost is now shouldered by the banks. If current legislation is passed, credit card companies will soon be forced to reveal the source of the fraud.

5. Opinion: Four laws Congress needs to pass now to boost computer security

Author Ira Winkler weighs in on what impact, if any, a new Congress majority might have on computer security. He is skeptical and believes the laws ought to stress proactive processes rather than reactive guidelines on how to clean up a breach and its resulting mess. Botnet-related attacks alone result in billions of dollars spent in lost productivity and added costs. Winkler proposes four specific laws that would require proactive computer security measures on the part of ISP's and others.

6. Vulnerability tallies surged in 2006

According to data obtained from four major vulnerability databases, Security Focus reports a surge in Web application flaws for 2006 by more than a third over those reported in 2005. A CERT Coordination Center Team Lead attributes this huge jump in vulnerabilities to easy-to-find flaws in Web applications. Mentioned are applications written in PHP, which appeared to account for 43 percent of the total vulnerabilities reported in 2006. Another big trend involved previously unknown, or zero-day flaws, increasingly targeted by active attacks.


>	Datasheet: Hailstorm Enterprise ARC
>	Datasheet: Hailstorm Pro
>	Datasheet: Hailstorm Starter
>	Datasheet: Hailstorm Core
>	White Paper: Beyond Simple Vulnerabilities Scanning
>	White Paper: Cross Frame Scripting
>	White Paper: Cenzic Imperative Assessment Plan
>	White Paper: Enabling Security in the Software Development Lifecycle (PDF)