My Twitter Notes on 2010-05-02

  • Looking for a banking fraud management solution (mainly Oracle systems). Any recommendations based on real-life experience ? Thank you ! #
  • "The Case Against Apple–in Five Parts « The Jason Calacanis Weblog" ( http://bit.ly/45L0Lx ) .. old but gold. #
  • Reading: "Attack of the Opt-In Botnets | Zero Day | ZDNet.com" ( http://bit.ly/b5zu4n ) #
  • SKIPFISH Review http://bit.ly/aW5dTW #

Powered by Twitter Tools

Skipfish – New Web Security Scanner By Google !

Google's New Web Security Vulnerability Scanner On Mar 19, on Friday morning, Michal Zalewski announced on Google Security Blog : "Meet skipfish, our automated web security scanner" and this had to be taken seriously.

Recently I've seen a lot  of free  "web malware scanners", some of them released by prestigious security vendors , *cough* Qualys *cough* and some of them released by unknown -to me at least – developers of WP-Secure Plugin for WordPress  SiteSecurityMonitor.com .

Google developers took a different approach and they built an ol' school console application written in pure C which is lighting fast and thanks to it's asynchronous processing is able to inject hundreds of HTTP requests / second.

The source code is released under Apache license and it's available for download here.

I don't have a Linux box available right now to make it and test it myself but the documentation surely fires up your interest on the features implemented in skipfish: Server-side SQL injection, Integer overflow vulnerabilities, Stored and reflected XSS, MIME Manipulation, HTTP credentials in URLs, Unexpected response variations and many many others. 

We owe a big thanks to the Google security team and I hope skipfish will be developed further.

SC Magazine 2010 Awards Winners

 

This week, The winners of the 2010 SC Awards U.S. were announced in San Francisco. I am very happy to see that I work with the winning vendor from almost all categories which I specialize in.

Without further ado, here is the complete list :

Best computer forensics solution

Best computer forensics solutionWinner: Guidance Software for EnCase Forensic

Finalists 2010

  • ArcSight for ArcSight Logger
  • Guidance Software for EnCase Forensic
  • NetWitness for NetWitness NextGen 9.0
  • Quest Software for Quest ChangeAuditor
  • Solera Networks for Solera DS Network Forensics Appliances

 

Best SIM/SIEM solution

Best SIM/SIEM solutionWinner: ArcSight for ArcSight Enterprise Security Manager (ESM)

Finalists 2010

  • Alert Logic for Log Manager
  • ArcSight for ArcSight Enterprise Security Manager (ESM)
  • IBM for Tivoli Security Information and Event Manager
  • Q1 Labs for QRadar SIEM
  •  RSA Security for RSA enVision Platform
  • Tenable Network Security for Tenable's Security Center 3.4 with Log Correlation Engine 3.2
  • TriGeo Network Security for TriGeo SIM

 

Best vulnerability management solution

Best vulnerability management solution Winner: Qualys for QualysGuard

Finalists 2010

  • Core Security Technologies for CORE IMPACT Pro
  • eEye Digital Security for Retina Network Security Scanner
  • Microsoft Corp. for Forefront Threat Management Gateway
  • Qualys for QualysGuard
  • Tenable Network Security for Tenable Security Center 3.4 with Nessus 4.0, Log Correlation Engine (LCE) 3.2 and Passive Vulnerability Scanner (PVS) 3.0
  • TippingPoint Technologies for TippingPoint Intrusion Prevention System (IPS)

 

Best web application security solution

Best web application security solutionWinner: F5 Networks for BIG-IP Application Security Manager

Finalists 2010

  • Barracuda Networks for Barracuda Web Application Firewall
  • Breach Security for WebDefend
  •  F5 Networks for BIG-IP Application Security Manager
  • TippingPoint Technologies for TippingPoint's Intrusion Prevention System (IPS)
  • VeriSign for VeriSign Extended Validation (EV) Secure Sockets Layer (SSL) Certificates
  • WhiteHat Security for WhiteHat Sentinel

 

Read here the complete list of winners . I only wish it was an additional  category named "Database Security" so I could see Imperva listed as well :)

Qualys Unveils 3 New Services – Some Are FREE!

For the past 1 month I lost contact with Infosec world and I was quite surprised today to discover 3 new services offered by Qualys :

QualysGuard Malware Detection - A Free service for everyone
By scanning the code of the public web applications / websites, Qualys is able to detect malware code snippets and , most important, it can issue alarms when malicious code is found.

Qualys FreeScanA Free Vulnerability Scanner Tool
Think of it as a complete QualysGuard scan for one single IP. It's a good way to try before you buy and a sample report is provided.

Qualys GOSECURE - A Security Seal which confirms that a certain website is maintaining a rigorous and proactive security program .
This service takes a composite approach and performs an extensive scan of a website including: perimeter vulnerability scanning, specific web application vulnerability scanning, malware detection and SSL certificate validation. If everything is ok, Qualys issues a badge which certifies the website security.

I wish them luck with the new service range and hopefully efforts like this will reduce the online threats posed by infected websites!,

Page 5 of 58« First...34567...Last »