Well, this is a good news for all the folks in the PCI compliance business. Watchfire has been certified as a PCI scanning vendor. Quoting the press release:

WALTHAM, MA - March 12, 2007 - Watchfire, the market leading provider of web application security software and services, announced today that its AppScan® product has successfully completed the PCI Security Standards Council Approved Scanning Vendors testing process and is validated as compliant with the Payment Card Industry Data Security Standard (PCI DSS). Watchfire is the only web application security testing software vendor to earn PCI certification and can perform PCI scans to help validate the security of its customers’ websites according to the Payment Card Industry Data Security Standard.

I wonder when SPI Dynamics will follow, because I’m a big fan of WebInspect

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Day 10 of the Month of PHP Bugs brings a new PHP vulnerability which occurs when using ext/filter and ASCII data. This raises the vulnerability count to 18.

18. PHP ext/filter HTML Tag Stripping Bypass Vulnerability When ext/filter is configured to strip characters with low ASCII values it is possible to bypass the HTML tag filter in an easy way.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Exploit Prevention Labs released the results of its February 2007 Exploit Prevalence Survey™. The Top 5 Web Exploits for February 2007 are :

1. Q406 Roll-up package 35.17 percent (61.23 previous)
2. CreateTextRange (CVE-2006-1359) 19.62 percent (8.45 previous)
3. WebAttacker 13.88 percent (5.18 previous)
4. IE VML Overflow 6.46 percent (5.37 previous)
5. IE Com CreateObject code 5.98 percent (2.05 previous)

Note: Numbers above do not add up to 100 percent, due to the following lesser reported exploits: Iframers launcher script (4.78% vs. 2.88%), WMF (CVE-2005-2124) with known payload (4.55% vs. 2.50%), Search engine highjack (4.07% new), others (5.49%) Full article : February 2007 Exploit Prevalence Survey™.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Anurag Agarwal continued his series of Reflections on web security superstars by presenting Ivan Ristic, the man who put ModSecurity on the map of mandatory security controls. Just like before, Anurag covers all the articles, books, tools and great contributions to the information security made by Ivan Ristic.

If we hear so much about web application firewalls and their role as a first line of defense in protecting our web applications, a large amount of credit has to go to Ivan Ristic. Ivan Ristic is the creator of ModSecurity (an open source web application firewall and intrusion detection/prevention engine).

Read the whole Reflection on Ivan Ristic

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Day 9 of the PHP month of the bugs brings a vulnerability which involves POST data in the FDF format. I’m just wondering if Stefan Esser’s commitment to release at least one PHO bug a day will last until March 31. Anyway, here is number 17 :

17. PHP ext/filter FDF Post Bypass Vulnerability POST data in the FDF format is not processed at all by ext/filter. When PHP is compiled with FDF support, sitewide enforced filtering will not be performed on it.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

Today I came across a new tool to investigate the index.dat files : Index.dat Analyzer 2.0 This remembers me of another good tool for Web Forensics : MANDIANT Web Historian which I’ve used in the past to track down security policy violations. It’s good to know that both tools are free.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

The 8th day of the Month of PHP bugs brings an arbitrary code execution vulnerability raising the bug count to 16

16. PHP zip:// URL Wrapper Buffer Overflow Vulnerability The zip:// URL wrapper suffers from a standard stack based buffer overflow that occurs when an overlong URL is parsed and can therefore lead to arbitrary code execution.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

I bet you never took a Security Quizz in a luxury SUV such as Porsche Cayenne or Infinity FX . Well … now you can @sec released IT Security Rally , a Flash based game that brings together IT Security and fast cars . The game centers around four areas of IT security: Common Criteria, HIPAA, PCI and general IT security. At the end of each 10-question round, players will get a chance to review their answers and learn why they were right or wrong. This is waaay too cool not to check it IT Security Rally

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

It’s been one week now since the Month of PHP Bugs project started. The bug count for the first week is 15.

15. PHP shmop Functions Resource Verification Vulnerability The shmop functions do not verify that the supplied resource is of the correct type. This allows read and write access to arbitrary memory addresses and allows the execution of arbitrary code.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!

I’m glad to read that SPI Dynamics will be joining the Open Web Application Security Project (OWASP) as a Vendor Organization member. Additionally, SPI Dynamics is lending support to the OWASP Site Generator (OSG) project by allocating its membership fees to the ongoing success of this initiative.

"The OWASP Site Generator (OSG) project is an important industry initiative that we’re proud to support. OWASP has grown into a vital global resource for web application security research," says Michael Sutton, Security Evangelist, SPI Dynamics. "As leaders in the web application security industry, SPI Dynamics believes that supporting organizations such as OWASP is vital for the encouraging awareness and providing access to the tools and information necessary for securing web applications."

It’s great to see the big vendors teaming up with open-source security researchers. If I were you, I’d keep a close eye on the OWASP Site Generator becase the OWASP Spring of Code 2007 is just about to start.

Share This

If you enjoyed this post, make sure you subscribe to my RSS feed!