Adds Many New Critical Attacks like ClickJacking to its Testing Suite
Santa Clara, Calif. – April 8, 2009—Cenzic, the leading provider of Web application security vulnerability assessment and risk management solutions, today announced an update to its SaaS offering, Cenzic ClickToSecure® 5.9, with several new features including the ability for customers to conduct their own retests. In addition, Cenzic is adding five major updates to its SmartAttack™ Library, furthering its efforts to identify and remediate today’s latest vulnerabilities.
“New threats from hackers are relentless and it is imperative that the latest and most innovative solutions are used to prevent these attacks,” said John Weinschenk, Cenzic president and CEO. “Cenzic’s patented technology, the only Web application security technology cross-licensed with the other two big security players, is unique across the industry. Our solutions offer the ultimate flexibility, with both software and Software as a Service (SaaS) solutions in managing Web application risk, as IT resources and security knowledge are ever-changing. Many customers are using a hybrid approach of Software and SaaS, which is a unique model offered only by Cenzic.”
The new retest functionality of Cenzic ClickToSecure gives customers the ability to retest their applications after implementing changes to address vulnerabilities identified in the original remote assessment conducted by Cenzic’s security experts. This means customers can run a test at any time of day and as often as they like without incurring additional fees and ensuring the highest level of vulnerability assessment. The new release also includes other enhancements such as assessment monitoring for increased visibility allowing users to see the details of an assessment as it is occurring.
“One of the most significant trends in application security testing is the move towards adoption of SaaS for Web application security,” said Neil MacDonald, VP and Gartner Fellow. “Even companies that typically buy software are supplementing purchased software with SaaS in a hybrid model to accelerate their application security testing program. This is especially critical as organizations begin implementing their Web application security strategy and have a large backlog of untested applications to work through.”
“Cenzic’s SaaS/Managed Service offerings are excellent options for companies to consider for their Web application security assessment needs,” said Mike Montecillo security and risk management analyst for Enterprise Management Associates. “These offerings allow for companies to seamlessly integrate application security capabilities into their environments. Furthermore, Cenzic offers complementary solutions to meet a company’s needs should they change.”
“After reviewing three of the leading Web application security products, we determined that Cenzic was the most comprehensive solution over the other SaaS and software models. The fact that Cenzic has both a software and a SaaS model allows for flexibility in the future,” said Genady Vishnevetsky, director of IT operations and security at Paymetric. “The Cenzic solution adds a value proposition to our security framework, ensuring that our application meets new security standards and prevents the potential code exploits.”
In line with its commitment to update its attack library with innovative tests on a continuous basis, Cenzic is also adding a number of critical attacks to its SmartAttack Library, which will allow customers to stay ahead of the curve against hackers. The automated attacks simulate a hacker trying to compromise a customer’s application. These attacks are available to both SaaS and Software customers as they are updated automatically. Some of the critical SmartAttack updates include:
Clickjacking
Clickjacking involves an attacker embedding a page from a vulnerable Web application, as a hidden or transparent iframe, inside a page from the attacker that is designed to mislead a victim. The page from the attacker is designed to motivate the user to click on a location.
Javascript Hijacking
JavaScript Hijacking is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf.
Frame Injection
Frame Injection occurs if a URL specified in a parameter is used as a source of frame or iframe for a particular page. If the application does not properly validate this parameter, the attacker can inject a URL of his own choice and the application will blindly load the attacker’s page within a frame.
LDAP Injection
LDAP Injection technique is used by an attacker to extract sensitive information or gain unauthorized access to the proprietary data. The attacker can systematically find out LDAP query structure by injecting specially crafted LDAP search filter characters. Once the query structure is determined, the attacker can generate more attacks to access sensitive information by injecting valid search filters.
LDAP Exception
Error messages often give an attacker useful information about how an application interacts with back-end components, and can reveal potential vulnerabilities within the application itself. It is common for intruders to manipulate application input parameters in order to elicit application exceptions. An attacker can reverse engineer the structure of LDAP query structure with the help of these application exception messages.
About Cenzic
Cenzic is the next-generation Web application security assessment and risk management solutions leader. The Cenzic suite of application security solutions fits the need of any company from remote, Software as a Service (ClickToSecure®), for testing one or more applications, to a full enterprise-wide solution (Cenzic Hailstorm® Enterprise ARC) for effectively managing application security risks across an enterprise. Always an innovator, Cenzic has integrated Hailstorm with VMware to enable testing of production Web applications through virtualization—making Cenzic the only company in the industry with a complete solution for assessing Web applications in all stages from development to production. In addition, Cenzic solutions, targeted at financial services, e-retail, high-tech, energy, healthcare and government sectors, are the most accurate, comprehensive and extensible in the industry, empowering organizations to stay on top of unrelenting application security threats.
