A very short post :
Nikto 2 is out ! Finally 
I’m sure most of us have seen the funny message primisinf a new version real soon ; well, it happened and you can check the huge Changelog here.
Thanks to all the fine folks at CIRT.NET !
If you enjoyed this post, make sure you subscribe to my RSS feed!
Today I’ve seen the smallest security appliance ever ! The YOGGIE Pico Personal Security Server runs of an USB port and provides more than a dozen security features. At first I thought it’s an USB drive full of portable applications but I was wrong. The Yoggie Pico it is a server-server with proper CPU, SDRAM, Flash, Operating System, File System and all .
No larger than a regular USB thumb drive, Yoggie Pico runs a custom Linux distribution and it packs almost all security functionality you could find in a large corporate network:
Awesome Tool // You can read about how it works or you can download the datasheet (PDF) here .
P.S: Read more about marine electronics
If you enjoyed this post, make sure you subscribe to my RSS feed!
Ha! Finally there is an official method to tell apart the security minded programmers from the rest of the coder crowd. GIAC Secure Software Programmer (GSSP) Certification is a brand new SANS exam designed to test the security knowledge of developers in an effort to reduce the application security vulnerabilities.
It is an efficient example of fixing the cause of software vulnerabilities and I hope that it won’t turn into a paper certification like so many other security certs have done during the past years.
There are two tests available depending on the programming language chosen by the candidate and these are the exam blueprints:
According to the calendar of events, the first exam sessions will be held on Dec 2 in Orlando, FL and Dec 5 in London, GB.
Good luck to all who consider talinkg this exam !
P.S: Read more about laptop computers
If you enjoyed this post, make sure you subscribe to my RSS feed!
I’ve always thought that secure web applications must be built secure and no matter how many patches are released during an application’s life cycle, secure coding and secure code are the fundamental pillars of secure web.
Defending a vulnerable web application with one Web Application Firewall should only buy you some time toactually fix the vulnerabilities. I strongly believe that virtual patching is just a buzz marketing crap word. Always fix the code !
Just a few days after I found a static .Net XSS code analyzer , today I’ve found a PHP XSS and SQL injection source code analyzer called Pixy.
Download and install Pixy today and please share the experience !
If you enjoyed this post, make sure you subscribe to my RSS feed!
NEW! Microsoft just released XSSDetect, which is a free VisualStudio plugin designed to detect XSS vulnerabilities in managed code.
My relationship with programming has been going from bad to worse and we just decided it was time to call it quits a few years ago and that’s the reason I won’t be able to test it first hand. Nevertheless I think we should support any effort to reduce software vulnerabiltiies and this time props go to Microsoft !
Download XSSDetect from Microsoft
If you enjoyed this post, make sure you subscribe to my RSS feed!
Recently I took part in a training session on Imperva SecureSphere® and I must say I was impressed with the architecture, features and overall philosophy behind this product.
Here are 10 reasons I liked Imperva SecureSphere, an awesome Web Application Firewall or should I say Business Application Firewall for obvious reasons which I will present below.
Note : I am not affiliated with Imperva , and this is not a paid review .
1. Dual Approach on Web Application Security : WWW + SQL
There are several Web Application Firewalls available on the market and apparently Imperva is the only one who approaches Application Security the right way, as a multi-tier structure. Therefore, Imperva offers IPS-like protection both on presentation layer (HTTP traffic) and data layer (SQL Traffic).
The ability to monitor and block both HTTP and SQL traffic provides defense in depth and unmatched end-to-end user accountability (from browser to database).
2. Architecture / Extremely Flexible Deployment
SecureSphere is offered as a hardened appliance withstanding impressive traffic values up to 2Gbps and 36,000 HTTP Transactions / sec. or 200,000 SQL Transactions / sec.
The Architecture of a SecureSphere solution is modular and scalable:
I liked the fact that there is a Management server and “enforcement points“in the form of Web Application Firewalls and Database Security Gateways. Yes, it looks similar to a CheckPoint architecture, and there is a good reason for this .
The deployment options blew me away because I was used only to reverse proxy and transparent proxy web application firewall. Well, Imperva offers a wide range of deployment scenarios which should fit any network requirement:
3. Positive Security Model / Dynamic Profiling
The positive security model is definitely not something new, especially in web application firewall design. But what I found to be very interesting about Imperva’s approach was the semantic breakdown of both HTTP and SQL requests. Finally HTTP requests or SQL queries can be tokenized and each token can be fed to a correlation engine. Suddenly data has a meaning and actions can be taken based on the meaning of tokens.
One of the drawbacks of the positive security model is the taming (or should I say training of the Firewall / IPS, etc. Lots of time spent on teaching a machine the difference between normal and ab-normal.
Imperva tackled this time & resource consuming action by implementing a dynamic profiling functionality. Every new application is automatically set into “Learning” mode until a certain number of requests (in the order of thousands) or days have elapsed. At that point, based on the data gathered so far, the system defines a profile of acceptable requests and locks the application in “Protection” mode. Defining what is “normal” or “acceptable” is done by a statistical correlation of all values recorded for each token, much like a Gauss bell normal distribution.
At any future point in time the application lockdown can be removed by an administrator and tokens can be modified.
4. HTTPS/SSL Inspection Passive decryption or termination
One of the common shortcomings of web application firewalls / IPS is the inability to look inside a SSL encrypted data stream without breaking the SSL connection between browser and web server.
Imperva SecureSphere acts as a transparent, passive SSL terminator and it can either store a copy of the web server’s private key or can it leverage the key management & encryption to an existing HSM unit.
5. Imperva Application Defense Center (ADC)
Whenever one buys such a complex security solution, it’s a good feeling to know that the product is actively supported and improved by a dedicated R&D team. Think of ISS (IBM) X-Force.
Imperva’s own R&D uber hacker team is called Application Defense Center (ADC) and its leader is Amichai Shulman, Imperva’s CTO.
I was told that the average time elapsed since a zero day vulnerability disclosure and a full signature release is 3 to 5 days. And we are talking multiple layer vulnerabilities: Network, Operating Systems, Protocol Anomalies (Http and Sql), Database Platforms, Web Application Platforms, etc.
6. Enterprise Ready Features
I call this set of features “Enterprise-Ready Features” because I’ve come to understand that it’s not enough for a product to be the best in its class, it has to fit in nicely within an established network and it has to be easy to manage, deploy and upgrade. Yeah, 21st century corporate bull requirements
So here they are Imperva SecureSphere’s Enterprise-Ready features
7. Data Base Security Assessment
I have been using SCUBA, Imperva’s Free Database Vulnerability Scanner for a while and it proved efficient in a few assignments. Little did I know that SecureSphere Database Security Gateway uses a 50 times larger database vulnerability scanner whenever a new database systems is included for monitoring / protection.
It just seems very logic for a Database IPS / Firewall to have inside knowledge about the configuration, patch level, roles, and data of the systems it’s supposed to defend. It all comes down to the big importance of data profiling
8. Correlation Across Layers
One important evaluation criteria for any Firewall / IPS is the way it handles false positives and false negatives. Regardless of the layer it works on (network, application); the firewall should not block any legitimate request. Tough requirement to meet, especially when one has to cover multiple OSI layers (network, transport, presentation, application)!
Imperva has developed an internal correlation engine named Correlated Attack Validation (CAV) which tracks and correlates multiple events to accurately identify and block sophisticated attacks.
This is one example of blocking an attack which uses HTTP Request Smuggling evasion technique:
9. SQL queries AND response
Many database monitoring and audit solutions will log the SQL queries but I’m not sure how many would think of logging the SQL response as well thus leaving one open door for insider threats.
The sheer volume of data can render this logging unusable, but Imperva has managed to deploy a very simple and effective solution: it stores the audit logs (SQL request and response) as flat files and this has little to no effect on traffic inspection.
10. Universal User Tracking
Accountability and non- repudiation are two cornerstone requirements for any solid security management system but it’s been very difficult to implement them because the way most web application work:
Somewhere between phase 2 and 4, the chain of accountability has been broken and there is no direct link between an user and the SQL query run on the database.
This is where Imperva’s Universal User Tracking kicks in: it makes users accountable for their actions – even when they access data through business applications. To identify application IDs, a dedicated SecureSphere interface monitors application user sessions and correlates those sessions with specific database transactions.
Conclusions
Imperva SecureSphere represents an advanced business application security control which has taken the concept of Firewall & IPS to the application layer with great results.
Just like CheckPoint in 1993 changed the network firewall forever, I wouldn’t wonder if 15 year later Imperva establishes itself as a reference in Activity Monitoring, Audit and Security for Business Applications and Databases.
However, take my review with a grain of salt as I didn’t test the product myself. .. Yet I plan to set-up a head to head clash between an automatic web attack suite and an automatic web firewall . Now that’s going to be fun
If you enjoyed this post, make sure you subscribe to my RSS feed!
Microsoft has released FastCGI which is a free server component enabling hosting of PHP applications on Windows Server 2003 and IIS 6 with increased reliability, scalability, and security.
Most of the applications built for IIS use the native multi-threaded application model. This was not the case for the applications initially written for Linux and ported on Windows such as PHP extensions. Even though the PHP engine is multi-threaded, many of the PHP extensions are not multi-threaded and this takes away the advantage of multiple concurrent request processing.
The Microsoft FastCGI Extension for IIS provides full support for hosting and executing FastCGI enabled applications on IIS in high performance and reliable way.
Some of the important features provided in this release of FastCGI Extension are listed below:
- Reliable hosting of non thread-safe applications (such as PHP) in FastCGI mode by enforcing single request concurrency per FastCGI process
- Support for hosting of FastCGI application frameworks on shared servers by providing necessary configurable.
- Rich set of configuration options for tweaking performance of FastCGI extension and FastCGI processes.
The most surprising detail of FastCGI is the cost : FREE as in beer !
Download it and be gentle on Microsoft with the bug reports. After all…they are taking baby steps into free software business
If you enjoyed this post, make sure you subscribe to my RSS feed!
I don’t know about you, but I owe a big part of my education and career to my independent study and research because not many universities were offering Bachelor / Master Degrees in Information Security back then.
Times have changed and today I came across a very interesting online cybersecurity degree offered by the Utica College : it’s a Bachelor of Science degree in Cybersecurity and it provides two concentrations :
Security vulnerabilities and threats have changed and the age-old saying “follow the money” seems more vivid than ever. The technology behind financial operations has induced a new breed of risks which must be addressed from both Accounting and Computer Science point of view.
In order to address this risk, Utica College offers an unique set of Economic Crime Degrees which focuses on Financial Investigation in order to detect and investigate fraud and other economic crimes.
It’s good to see that the academic world is adapting to the security threats we face nowadays and I hope that more and more students will chose the path we got to love and hate everyday . Only they won’t have to walk the same rough path thanks to new online education and training available today.
If you enjoyed this post, make sure you subscribe to my RSS feed!
Although one may argue that a firewall does not really solve the security problems of an organization, I highly doubt anyone would design a modern network security schema without a solid firewall.
There are many open source network firewalls available on the market and this is why I was very glad to discover an open source web application firewall available for free.
Profense is the flagship product of Armorlogic, a Danish software development company created in early 2005 by Jakob Frydendal Gercke and Srebrenko Sehic, internet security specialists working as Big 4 consultants.
Apparently they founded they own company around web application security and positive security models. It paid off and Profense is already shipping its version 2.
The free version of the product is based on a stripped and hardened OpenBSD platform making it a hard to break appliance .Profense Base is packed with commercial grade features such as
Web Application Firewall
Web Accelerator
Load balancer:
I think that the kind folks at Armorlogic deserve all the community support they can get, so I invite you to download Profense Base and give it a spin!
If you enjoyed this post, make sure you subscribe to my RSS feed!
As you know, Kerberos was originally developed at MIT as the authentication protocol for MIT’s Project Athena in 1983 and was adopted as an IETF standard in 1993. The quick release of Kerberos as an Open source tool in 1987 led to a massive adoption amongst IT vendors up to a point that there is no way back to a non Kerberos world.
This is the reason why seven large organizations have decided to form The Kerberos Consortium whose goal is to establish Kerberos as the universal authentication platform for the world’s computer networks.
The Consortium Operating Principles:
The Consortium’s members (sponsors) include big names in the industry such as Google and Stanford Univ. so it might well be One ring to rule’m all
If you enjoyed this post, make sure you subscribe to my RSS feed!
Free Security Magazines Hot Security News Security Articles and Tips 24/7 Malware Mix
