• Looking for a banking fraud management solution (mainly Oracle systems). Any recommendations based on real-life experience ? Thank you ! #
• "The Case Against Apple–in Five Parts « The Jason Calacanis Weblog" ( http://bit.ly/45L0Lx ) .. old but gold. #
• Reading: "Attack of the Opt-In Botnets | Zero Day | ZDNet.com" ( http://bit.ly/b5zu4n ) #
• SKIPFISH Review http://bit.ly/aW5dTW #

Powered by Twitter Tools

On Mar 19, on Friday morning, Michal Zalewski announced on Google Security Blog : "Meet skipfish, our automated web security scanner" and this had to be taken seriously.

Recently I've seen a lot  of free  "web malware scanners", some of them released by prestigious security vendors , *cough* Qualys *cough* and some of them released by unknown -to me at least – developers of WP-Secure Plugin for WordPress  SiteSecurityMonitor.com .

Google developers took a different approach and they built an ol' school console application written in pure C which is lighting fast and thanks to it's asynchronous processing is able to inject hundreds of HTTP requests / second.

The source code is released under Apache license and it's available for download here.

I don't have a Linux box available right now to make it and test it myself but the documentation surely fires up your interest on the features implemented in skipfish: Server-side SQL injection, Integer overflow vulnerabilities, Stored and reflected XSS, MIME Manipulation, HTTP credentials in URLs, Unexpected response variations and many many others. 

We owe a big thanks to the Google security team and I hope skipfish will be developed further.

This week, The winners of the 2010 SC Awards U.S. were announced in San Francisco. I am very happy to see that I work with the winning vendor from almost all categories which I specialize in.

Without further ado, here is the complete list :

Best computer forensics solution

Winner: Guidance Software for EnCase Forensic

Finalists 2010

• ArcSight for ArcSight Logger
• Guidance Software for EnCase Forensic
• NetWitness for NetWitness NextGen 9.0
• Quest Software for Quest ChangeAuditor
• Solera Networks for Solera DS Network Forensics Appliances

Best SIM/SIEM solution

Winner: ArcSight for ArcSight Enterprise Security Manager (ESM)

Finalists 2010

• Alert Logic for Log Manager
• ArcSight for ArcSight Enterprise Security Manager (ESM)
• IBM for Tivoli Security Information and Event Manager
• Q1 Labs for QRadar SIEM
•  RSA Security for RSA enVision Platform
• Tenable Network Security for Tenable's Security Center 3.4 with Log Correlation Engine 3.2
• TriGeo Network Security for TriGeo SIM

Best vulnerability management solution

Winner: Qualys for QualysGuard

Finalists 2010

• Core Security Technologies for CORE IMPACT Pro
• eEye Digital Security for Retina Network Security Scanner
• Microsoft Corp. for Forefront Threat Management Gateway
• Qualys for QualysGuard
• Tenable Network Security for Tenable Security Center 3.4 with Nessus 4.0, Log Correlation Engine (LCE) 3.2 and Passive Vulnerability Scanner (PVS) 3.0
• TippingPoint Technologies for TippingPoint Intrusion Prevention System (IPS)

Best web application security solution

Winner: F5 Networks for BIG-IP Application Security Manager

Finalists 2010

• Barracuda Networks for Barracuda Web Application Firewall
• Breach Security for WebDefend
•  F5 Networks for BIG-IP Application Security Manager
• TippingPoint Technologies for TippingPoint's Intrusion Prevention System (IPS)
• VeriSign for VeriSign Extended Validation (EV) Secure Sockets Layer (SSL) Certificates
• WhiteHat Security for WhiteHat Sentinel

Read here the complete list of winners . I only wish it was an additional  category named "Database Security" so I could see Imperva listed as well

For the past 1 month I lost contact with Infosec world and I was quite surprised today to discover 3 new services offered by Qualys :

QualysGuard Malware Detection - A Free service for everyone
By scanning the code of the public web applications / websites, Qualys is able to detect malware code snippets and , most important, it can issue alarms when malicious code is found.

Qualys FreeScan – A Free Vulnerability Scanner Tool
Think of it as a complete QualysGuard scan for one single IP. It's a good way to try before you buy and a sample report is provided.

Qualys GOSECURE - A Security Seal which confirms that a certain website is maintaining a rigorous and proactive security program .
This service takes a composite approach and performs an extensive scan of a website including: perimeter vulnerability scanning, specific web application vulnerability scanning, malware detection and SSL certificate validation. If everything is ok, Qualys issues a badge which certifies the website security.

I wish them luck with the new service range and hopefully efforts like this will reduce the online threats posed by infected websites!,