Web Applications / Services Security, Vulnerability Scanning, Enterprise Security Software: Cenzic

- Top Vulnerabilities

- Resources

- Alerts

- Disclosure Guidelines

- Library Updates

- Cenzic Newsletter

- White Paper Download

2005
March \| May
2006
June \| July \| August \| September \| October \| November \| December
2007
January \| February \| March \| April \| May \| June \| July \| August \| September \| October \| November \| December
2008
January \| February \| March

Web Application Security Newsletter - October 2006

A MESSAGE FROM THE EDITOR - This month we feature the work of our own CIA team who recently announced the discovery of a vulnerability in Roller, a popular open source blog server that drives thousands of blogs worldwide. Subsequently, the Roller team has delivered a fix and is working with our team to address the vulnerability. Two articles present some compelling findings from Symantec's latest Internet Security Threat Report. For those of us in the Information Security Industry, it is of little surprise that Web application attacks continue to rise with an upward trend in sites that use AJAX development techniques. Another finding brought to light is that deadlines more often win over security for developers facing pressure to beat competitors to market. Finally, a couple of articles address the issue of what is essential to building an authentic security program. The key message here is that security is more than a job position and requires commitment from the top down, awareness, process, implementation, and more.

1. Cenzic Intelligent Analysis Lab Identifies Potentially Threatening Application Vulnerabilities in Blog Technology

CIA team discovers vulnerability in blog application used by millions
The Cenzic Intelligent Analysis Team (CIA) recently discovered a vulnerability in Roller, an open source blog server. Roller is a popular blog server that drives thousands of blogs worldwide, including those used by internal employees at companies such as IBM and Sun. CIA discovered a cross-site scripting vulnerability that can leave end users' browsers vulnerable to attack. Once discovered, CIA immediately notified the Roller team who subsequently provided a fix to the security hole in a new release. Since the discovery, Cenzic has worked with the Roller team in providing counsel and support to address the vulnerability.

2. Web Application Attacks Dominate IT Landscape

Attacks targeting popular Web browsing software are on the rise
There is a continued rise of attacks that target popular Web browsing software according to Symantec's latest Internet Security Threat Report. The twice-yearly report highlights a rising number of Web application vulnerabilities, with 69% of all new threats between January and June 2006 targeting flaws in Internet Explorer, Firefox, and other Web applications. In another trend, there are increasing attempts to exploit vulnerabilities in sites that use AJAX development techniques. As AJAX and other Web 2.0 technologies gain in popularity, findings suggest that an increase in cross-site scripting and content injection attacks will rise. Financial services companies were the second most targeted group of users over the first half of 2006, behind only home computer users.

3. Security Tips: RISK MANAGEMENT STRATEGIES
Elements of a security program

A blueprint for building and implementing a security program: ISO 17799
Many organizations might not fully understand what a security program is and what is likely involved in building it. A standard guideline used worldwide is ISO 17799. The document provides a comprehensive guide to building and implementing a security program from organizational policy to compliance. Read about why a top-down approach is essential in driving the success of a security program.

4. CISOs and the false sense of security

Effective security takes more than a job position
According to a recent poll by a market research firm, results concluded that organizations with a CISO believe that they are more secure than those without one. Author Ira Winkler takes exception to these findings and, in fact, to the survey itself. He challenges such firms to ask the hard questions, such as whether respondent companies have the fundamental components of a good security program in place. What is real security? Is it merely a job position or technological implementation? Although companies with strong security programs in place are not without incident, their strength lies in detecting weaknesses and responding effectively, in having processes in place and knowing how and when to implement them.

5. Survey: Deadlines win over security in a rout

Beating competitors to market counts most
Survey says that deadlines win over security, at least according to Symantec's latest twice-yearly Internet Security Threat Report. When software developers must choose between building security into their products and meeting a deadline, the deadline usually wins. Although most believe that security is a higher priority now than in previous years, only 29% stated that application security was always part of development.

6. FAQ: What you should know now about the latest IE bug

Vulnerability can allow an attacker to take over a machinehere's what you can do
A newly discovered vulnerability in Microsoft IE can allow an attacker to take over a targeted machine-even if patches are all up to date. All versions of IE are affected with support for VML, which includes Versions 5 and 6. Also vulnerable are recent versions of Outlook and Outlook Express and all versions and service packs for Windows 2000 and XP. Find out all the details in this comprehensive FAQ.


>	Datasheet: Hailstorm Enterprise ARC
>	Datasheet: Hailstorm Pro
>	Datasheet: Hailstorm Starter
>	Datasheet: Hailstorm Core
>	White Paper: Beyond Simple Vulnerabilities Scanning
>	White Paper: Cross Frame Scripting
>	White Paper: Cenzic Imperative Assessment Plan
>	White Paper: Enabling Security in the Software Development Lifecycle (PDF)