This week, The winners of the 2010 SC Awards U.S. were announced in San Francisco. I am very happy to see that I work with the winning vendor from almost all categories which I specialize in.

Without further ado, here is the complete list :

Best computer forensics solution

Winner: Guidance Software for EnCase Forensic

Finalists 2010

• ArcSight for ArcSight Logger
• Guidance Software for EnCase Forensic
• NetWitness for NetWitness NextGen 9.0
• Quest Software for Quest ChangeAuditor
• Solera Networks for Solera DS Network Forensics Appliances

Best SIM/SIEM solution

Winner: ArcSight for ArcSight Enterprise Security Manager (ESM)

Finalists 2010

• Alert Logic for Log Manager
• ArcSight for ArcSight Enterprise Security Manager (ESM)
• IBM for Tivoli Security Information and Event Manager
• Q1 Labs for QRadar SIEM
•  RSA Security for RSA enVision Platform
• Tenable Network Security for Tenable's Security Center 3.4 with Log Correlation Engine 3.2
• TriGeo Network Security for TriGeo SIM

Best vulnerability management solution

Winner: Qualys for QualysGuard

Finalists 2010

• Core Security Technologies for CORE IMPACT Pro
• eEye Digital Security for Retina Network Security Scanner
• Microsoft Corp. for Forefront Threat Management Gateway
• Qualys for QualysGuard
• Tenable Network Security for Tenable Security Center 3.4 with Nessus 4.0, Log Correlation Engine (LCE) 3.2 and Passive Vulnerability Scanner (PVS) 3.0
• TippingPoint Technologies for TippingPoint Intrusion Prevention System (IPS)

Best web application security solution

Winner: F5 Networks for BIG-IP Application Security Manager

Finalists 2010

• Barracuda Networks for Barracuda Web Application Firewall
• Breach Security for WebDefend
•  F5 Networks for BIG-IP Application Security Manager
• TippingPoint Technologies for TippingPoint's Intrusion Prevention System (IPS)
• VeriSign for VeriSign Extended Validation (EV) Secure Sockets Layer (SSL) Certificates
• WhiteHat Security for WhiteHat Sentinel

Read here the complete list of winners . I only wish it was an additional  category named "Database Security" so I could see Imperva listed as well

For the past 1 month I lost contact with Infosec world and I was quite surprised today to discover 3 new services offered by Qualys :

QualysGuard Malware Detection - A Free service for everyone
By scanning the code of the public web applications / websites, Qualys is able to detect malware code snippets and , most important, it can issue alarms when malicious code is found.

Qualys FreeScan – A Free Vulnerability Scanner Tool
Think of it as a complete QualysGuard scan for one single IP. It's a good way to try before you buy and a sample report is provided.

Qualys GOSECURE - A Security Seal which confirms that a certain website is maintaining a rigorous and proactive security program .
This service takes a composite approach and performs an extensive scan of a website including: perimeter vulnerability scanning, specific web application vulnerability scanning, malware detection and SSL certificate validation. If everything is ok, Qualys issues a badge which certifies the website security.

I wish them luck with the new service range and hopefully efforts like this will reduce the online threats posed by infected websites!,

Many times, learning and practicing Ethical Hacking is difficult because it requires a bit of background work setting a proper lab, installing all the required software versions, etc. But things have changed and I'm very happy to share with you what I've just discovered : the OWASP Broken Web Applications Project which aims to provide a complete testing environment packed in a self-contained VMWare machine.

The nice folks at owaspbwa have mamaged to set up quite a few web platforms and applications so that we, the users,can skip the tedious setup part and jump right in web security hacking.  I will quote the developers about the contents of this VMWare machine:

This VM has two web servers running. One Apache server on port 80 and one Tomcat server on port 8080. The following vulnerable web applications are running on the VM (listed in no particular order).

Intentionally Vulnerable Applications:

• OWASP WebGoat version 5.3-SNAPSHOT (Java, use username=guest, password=guest, home page)
• OWASP Vicnum (Perl, home page)
• Mutillidae version 1.3 (PHP, home page)
• Damn Vulnerable Web Application version 1.06 (PHP, use username=admin, password=password, home page)
• OWASP CSRFGuard Test Application version 2.2 (Java, home page)
• Mandiant Struts Forms (Java/Struts)
• Simple ASP.NET Forms (ASP.NET/C#)
• Simple Form with DOM Cross Site Scripting (HTML/JavaScript)

Old Versions of Real Applications:

• WordPress version 2.0.0 (PHP, released December 31, 2005, home page)
• phpBB version 2.0.0 (PHP, released April 4, 2002, home page)
• Yazd version 1.0 (Java, released February 20, 2002, home page)

You can find all about this wonderful project on OWASBWAPA google code page  . Thanks to all who developed it !

Note: This is not a sponsored review.

Recently, GFI has released the latest version of their award winning web monitoring and filtering solution, GFI WebMonitor 2009.

With this new release, GFI is taking a step further towards large enterprise security market and what I find the most innovative feature is the optional ability to run the software on any Windows Server / Workstation without requiring a pre-existent ISA Server.  Of course, the ISA plugin edition is also available as it has always been.

In my opinion, the next logical step would be providing a dedicated appliance based on a hardened Windows Server as I encounter more and more corporate customers which would prefer an appliance instead of software delivery.

Enough with introduction, let's take a look under the bonnet:

1. Installation
I downloaded the 30 days full edition, available here and one of the first decisions which need to be made is the deployment model.

GFI WebMonitor can be installed as a proxy (default option) or one can chose the Gateway mode which will intercept all HTTP/S traffic trough the network. It's not clear to me (and I did browsed the documentation ) if the Gateway mode requires changes in the IP addressing or is the server  placed inline capturing all traffic al layer 2. If you are a GFI tech, please leave a comment on this blog post clearing this issue . Thanks !

2. Monitoring / Management  Console
The GFI WebMonitor console presents at a glance the most important real-time statistics about the inspected traffic and the policies which are  applied.

Using explicit dashboards and graphs, the administrator can very easily see details about : 

• Total bandwidth consumed
• Anti Virus and Anti Phishing statistics
• Bandwidth usage trends 
• Top blocked web categories
• Top web categories hits 
• Last Blocked Security Threats

3. Configuration
Defining and enforcing content filtering policies is split in several sections for maximum flexibility. For instance, one can define very strict virus, spyware and phishing policies and a more relaxed policy for URL filtering, instant messaging and allowed  downloads. I chose to define and impose strict policies for all actions , just to play the role of modern day corporate employee , confined in rules and regulations.

I would like to mention that policy enforcement is granular and because not all people are equal, different users or IPs can be the subject of different policies and exceptions which can be defined within one policy. Sweet !

Speaking of users, GFI WebMonitor proxy supports basic authentication or integrated NTLM authentication.

4. User Experience
There are several ways to enforce the GFI WebMonitor proxy settings:
- manual / automatic browser configuration trough GPOs
- publishing the IP of the GFI WebMonitor proxy in WPAD
- transparent proxy redirection

Either way, the end user experience is not affected at all and 10 minutes after I set my browser, I have already forgotten that I'm using a content filtering service. I tried to break the policies by browsing inappropiate websites (adult) , downloading games (spyware) and clicking several phishing links I found on PhishTank.

Each and every time I tried these actions I was blocked and, in the real world, and email could have been sent to security / HR departments. Scary !

Here are a few screenshots of the user side of the action :

Here are a few reports (pdf) which I run using GFI WebMonitor Report Pack :

• Browsed Sites by Users
  
• Report Bandwidth Usage by Classifications
  
• Report Bandwidth Usage by Websites
  

5. Conclusion
GFI WebMonitor 2009 proves to be a very effective security control which protects the largest threat vector in use today : web browsing. It's effectiveness is proven by the short time and small administrative overhead during planning, deploying and maintenance while achieving high quality results. As said, I think that a GFI WebMonitor appliance would complete the picture

One of the core values of GFI  has always been the  business common sense and ethics which stand behind the "We Care" campaign. You cand download a free copy of GFI WebMonitor or you can buy the full version.

It's good value for the money and, by taking your mind off web content security, it will leave you more time and resources for productivity, creativity or daydreaming & fun.