This must be the new scanners post. Tenable released version 3.2.0 of their popular Nessus vulnerability scanner and eEye enters the arena of web application scanners by releasing Retina Web App Scanner.

Tenable Network Security announced the availability of the new Nessus 3.2.0. This release sure looks promising because it brings quite a few new or improved features. It’s refreshing to see a software release which is not "security-bugs-fixing" driven:

This new major release contains several improvements, including:

• IPv6 support
• Improved control of network bandwidth usage during scanning
• Granular access to control rules to limit users to specific ports and audits
• Improved WMI support
• Full support for the new .nessus file format

The new Retina Web Security Scanner is not exactly a new security tool since it’s a custom version of NT Objectives NTOSpider Web app vulnerability scanner, and is integrated with eEye’s management console, REM.

This release is just a phase of eEye’s plans concerning the Web Scanner. Web security spells big business for eEye which intends to release an appliance-based version of this new scanner, says Morey Haber, vice president of product management at eEye.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Today ArcSight announced that T-Mobile has chosen ArcSight ESM  for Security Information and Event Management (SIEM) and Imperva SecureSphere Web Application Firewall won Information Security Magazine  "strongest overall offering for application and database security" . Sweet !

1st sweet news :  I’m very happy to hear that ArcSight closed T-Mobile deal because I hope that more and more industry big players will adopt and support ArcSight’s technical innovations. I’m particularly keen to see widespread adoption of Common Event Format (CEF) promoted by Arcsight :

The Common Event Format (CEF) is an open log management standard that improves the interoperability of security-related information from different security and network devices and applications.

When CEF will become de-facto log management standard I’m sure that we will be able to aggregate and correlate events generate by any CEF compliant source.

 2nd sweet news :  I love Imperva’s SecureSphere Web Application and Database Firewall and it’s great to know that Information Security Magazine named it “the strongest overall offering for application and database security”. I still think Imperva is one of the most accurate web security controls and it’s good to see some public recognition for all the hard work!

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

When I started this blog, I wanted to offer free insights and reviews of various security tools which could help in mitigating various security risks. I still do, but I realized that technology is not enough. People are still the weakest link in the chain of security custody of information assets.

A few weeks ago I’ve met a UK security consultant who told me the latest cover-your-ass employee excuse for having too many beers at the local pub and losing a PDA or laptop stuffed with valuable information: My laptop was stolen from my desk!

It’s a nice story and it holds most of the time. But there is a very simple way to prevent such incidents and I’m not talking about a beer ban in pubs

I’m talking about CCTV Security Camera and Surveillance Equipment which can be easily deployed as computer hardware DVR Camera Systems or standalone DVR appliances.

Either presented as an exterior wireless camera or hidden wireless camera, a modern CCTV Security System must include highly efficient H.264 video encoding, motion detection, email notification, digital watermark and remote management.

One example of such system is the sponsor of this post, the  DiGiCam DVR 120 FPS system by 123 CCTV Security Camera Surveillance Equipment.

I have not used the system yet but if I would go for building a CCTV Security System I would definitely get in contact with 123 CCTV Security Camera Surveillance Equipment.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

On May 5 2007 I wrote about OpenDNS’ initiative to offer web content filtering for the masses. At that time I thought the service will be offered for a fee, but to my complete surprise, David Uletvitch has decided to turn this project into a community effort.

Hundreds of thousands of websites have been manually tagged by volunteers and the result is given back to the public domain in the form of free web content filtering.

Deploying the system is straight forward:

1.  Use OpenDNS’ servers for DNS resolution
2.  Create a free account
3.  Add a network to the account (Yes, dynamically assigned IP addressed are supported too! )
4.  Pick the web categories you want to filter out - there are more than 30 categories!
5.  Turn on content filtering
6.  All done. Wait 3 minutes and test .

I would definitely recommend this project to anybody looking for a way to control the web access. First thing that comes into mind is keeping kids safe online. However, I’m sure that it’s hard to practice what you preach so if you use this system to protect your child, remember to "turn off" the OpenDNS resolver whenever you want to browse the web .

Nevertheless, a great tool indeed!

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

ScanSafe just launched Anywhere+, a very cool web security service which is intended to provide web content security for roaming users.

Well, securing the laptops used by sales or marketing staff  *outside of the company’s premises* has always been a pain in the behind and I’m afraid this will not change overnight.

However, I find ScanSafe’s approach interesting and it might just work this time… but how does it work? Is it a proxy setting? Is it a VPN connection? Is it a browser plugin? I don’t know so I had to find out. I applied for a trial account and I hope I will get to the bottom of this issue soon.

Sure, the marketing presentation looks nice:

And so does the explanatory text:

• Authenticates and directs your external client Web traffic to our scanning infrastructure. 
• Numerous datacenters are located all over the world from Sydney to San Francisco ensuring that your employees are never too far from our in-the-cloud scanning services.
• SSL-encryption of all Web traffic flowing to us improves security over public networks

So, I’m guessing that Anywhere+ alters the browser itself and no matter how you get on Internet, the web requests will be redirected to ScanSafe’s data centers where the response is checked for web malware.

This raises a few questions on the adoption of this technology:

• User’s online privacy could be questioned – Lots of authentication pages don’t use SSL
• If this technology is browser dependant (my money is on Internet Explorer), what would prevent a smart a$$ user to use a different browser such as portable apps…

I wish ScanSafe Anywhere+ best of luck because the service is much needed and it’s distributed architecture looks promising.  And guys, please don’t forget my application for a trial version

UPDATE:

I got an email from Spencer Parker, Director of Product Management at ScanSafe and here are some clarifications:

1. The software works at the protocol level, not application level. This means it works with any application that uses the HTTP or HTTPS protocols. This means if users go ahead and install another browser to bypass corporate proxy settings (which a lot do!) then the Anywhere+ driver still redirects the protocols correctly to the closest ScanSafe scanning tower.

2. We use an SSL tunnel to get all HTTP and HTTPS traffic to the scanning tower. It does this to add an extra level of security to the application (stop people sniffing your traffic at wireless hotspots etc) and for other reasons as well.

I’m still waiting for my trial account

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

I’ve found today 2 resources which are connected to good old Google Hacking Database :

1. Googlehacks which is  a dedicated application for Windows / Linux / Mac and allows you to easily run specialized Google queries (a.k.a googledorks). I would say that it’s a "must" inclusion in”Web Hacking for Dummies".
2. Google Hack Honeypot which is a set of PHP scripts used to detect any Google hacking attempts targeting your site. Well, it might me one of your friends using the tool described at #1 above

I find the Google Hacking Honeypot specifically interesting because I think it might be used as an IDS-like PHP class / module to identify who’s pulling some intelligence reports on your website.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

A very short post :

Nikto 2 is out ! Finally I’m sure most of us have seen the funny message primisinf a new version real soon ; well, it happened and you can check the huge Changelog here.

Thanks to all the fine folks at CIRT.NET !

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Today I’ve seen the smallest security appliance ever ! The YOGGIE Pico Personal Security Server runs of an USB port and provides more than a dozen security features. At first I thought it’s an USB drive full of portable applications but I was wrong. The Yoggie Pico it is a server-server with proper CPU, SDRAM, Flash, Operating System, File System and all .

No larger than a regular USB thumb drive, Yoggie Pico runs a custom Linux distribution and it packs almost all security functionality you could find in a large corporate network:

•  Adaptive Security Policy™
• Multi-Layer Security Agent™
• Layer-8 Security Engine™
• URL Categorization & Filtering
• Anti-Spam
• Anti-Phishing
• Antispyware
• Antivirus
• Transparent Email Proxies (POP3; SMTP)
• Transparent Web Proxies (HTTP; FTP)
• Intrusion Detection System / Intrusion Prevention System
• VPN Client
• Stateful Inspection Firewall

Awesome Tool // You can read about how it works or you can download the datasheet (PDF) here .

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Ha! Finally there is an official method to tell apart the security minded programmers from the rest of the coder crowd. GIAC Secure Software Programmer (GSSP) Certification is a brand new SANS exam designed to test the security knowledge of developers in an effort to reduce the application security vulnerabilities.

It is an efficient example of fixing the cause of software vulnerabilities and I hope that it won’t turn into a paper certification like so many other security certs have done during the past years.

There are two tests available depending on the programming language chosen by the candidate and these are the exam blueprints:

• C Exam
• Java Exam

According to the calendar of events, the first exam sessions will be held on Dec 2 in Orlando, FL and Dec 5 in London, GB.
Good luck to all who consider talinkg this exam !

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

I’ve always thought that secure web applications must be built secure and no matter how many patches are released during an application’s life cycle, secure coding and secure code are the fundamental pillars of secure web. 

Defending a vulnerable web application with one Web Application Firewall should only buy you some time toactually fix the vulnerabilities. I strongly believe that virtual patching is just a buzz marketing crap word.  Always fix the code !

Just a few days after I found a static .Net  XSS code analyzer , today I’ve found a PHP XSS and SQL injection source code analyzer called Pixy.

Download and install Pixy today and please share the experience !

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!