March 21st, 2010
On Mar 19, on Friday morning, Michal Zalewski announced on Google Security Blog : "Meet skipfish, our automated web security scanner" and this had to be taken seriously.
Recently I've seen a lot of free "web malware scanners", some of them released by prestigious security vendors , *cough* Qualys *cough* and some of them released by unknown -to me at least – developers of WP-Secure Plugin for WordPress SiteSecurityMonitor.com .
Google developers took a different approach and they built an ol' school console application written in pure C which is lighting fast and thanks to it's asynchronous processing is able to inject hundreds of HTTP requests / second.
The source code is released under Apache license and it's available for download here.
I don't have a Linux box available right now to make it and test it myself but the documentation surely fires up your interest on the features implemented in skipfish: Server-side SQL injection, Integer overflow vulnerabilities, Stored and reflected XSS, MIME Manipulation, HTTP credentials in URLs, Unexpected response variations and many many others.
We owe a big thanks to the Google security team and I hope skipfish will be developed further.
March 5th, 2010
This week, The winners of the 2010 SC Awards U.S. were announced in San Francisco. I am very happy to see that I work with the winning vendor from almost all categories which I specialize in.
Without further ado, here is the complete list :
Winner:
Guidance Software for EnCase ForensicFinalists 2010
- ArcSight for ArcSight Logger
- Guidance Software for EnCase Forensic
- NetWitness for NetWitness NextGen 9.0
- Quest Software for Quest ChangeAuditor
- Solera Networks for Solera DS Network Forensics Appliances
.jpg)
Winner: ArcSight for ArcSight Enterprise Security Manager (ESM)
Finalists 2010
- Alert Logic for Log Manager
- ArcSight for ArcSight Enterprise Security Manager (ESM)
- IBM for Tivoli Security Information and Event Manager
- Q1 Labs for QRadar SIEM
- RSA Security for RSA enVision Platform
- Tenable Network Security for Tenable's Security Center 3.4 with Log Correlation Engine 3.2
- TriGeo Network Security for TriGeo SIM
Winner: Qualys for QualysGuard
Finalists 2010
- Core Security Technologies for CORE IMPACT Pro
- eEye Digital Security for Retina Network Security Scanner
- Microsoft Corp. for Forefront Threat Management Gateway
- Qualys for QualysGuard
- Tenable Network Security for Tenable Security Center 3.4 with Nessus 4.0, Log Correlation Engine (LCE) 3.2 and Passive Vulnerability Scanner (PVS) 3.0
- TippingPoint Technologies for TippingPoint Intrusion Prevention System (IPS)
Winner: F5 Networks for BIG-IP Application Security Manager
Finalists 2010
- Barracuda Networks for Barracuda Web Application Firewall
- Breach Security for WebDefend
- F5 Networks for BIG-IP Application Security Manager
- TippingPoint Technologies for TippingPoint's Intrusion Prevention System (IPS)
- VeriSign for VeriSign Extended Validation (EV) Secure Sockets Layer (SSL) Certificates
- WhiteHat Security for WhiteHat Sentinel
Read here the complete list of winners . I only wish it was an additional category named "Database Security" so I could see Imperva listed as well 
March 2nd, 2010
For the past 1 month I lost contact with Infosec world and I was quite surprised today to discover 3 new services offered by Qualys :
QualysGuard Malware Detection - A Free service for everyone
By scanning the code of the public web applications / websites, Qualys is able to detect malware code snippets and , most important, it can issue alarms when malicious code is found.
Qualys FreeScan – A Free Vulnerability Scanner Tool
Think of it as a complete QualysGuard scan for one single IP. It's a good way to try before you buy and a sample report is provided.
Qualys GOSECURE - A Security Seal which confirms that a certain website is maintaining a rigorous and proactive security program .
This service takes a composite approach and performs an extensive scan of a website including: perimeter vulnerability scanning, specific web application vulnerability scanning, malware detection and SSL certificate validation. If everything is ok, Qualys issues a badge which certifies the website security.
I wish them luck with the new service range and hopefully efforts like this will reduce the online threats posed by infected websites!,
February 9th, 2010
Many times, learning and practicing Ethical Hacking is difficult because it requires a bit of background work setting a proper lab, installing all the required software versions, etc. But things have changed and I'm very happy to share with you what I've just discovered : the OWASP Broken Web Applications Project which aims to provide a complete testing environment packed in a self-contained VMWare machine.
The nice folks at owaspbwa have mamaged to set up quite a few web platforms and applications so that we, the users,can skip the tedious setup part and jump right in web security hacking. I will quote the developers about the contents of this VMWare machine:
This VM has two web servers running. One Apache server on port 80 and one Tomcat server on port 8080. The following vulnerable web applications are running on the VM (listed in no particular order).
Intentionally Vulnerable Applications:
- OWASP WebGoat version 5.3-SNAPSHOT (Java, use username=guest, password=guest, home page)
- OWASP Vicnum (Perl, home page)
- Mutillidae version 1.3 (PHP, home page)
- Damn Vulnerable Web Application version 1.06 (PHP, use username=admin, password=password, home page)
- OWASP CSRFGuard Test Application version 2.2 (Java, home page)
- Mandiant Struts Forms (Java/Struts)
- Simple ASP.NET Forms (ASP.NET/C#)
- Simple Form with DOM Cross Site Scripting (HTML/JavaScript)
Old Versions of Real Applications:
- WordPress version 2.0.0 (PHP, released December 31, 2005, home page)
- phpBB version 2.0.0 (PHP, released April 4, 2002, home page)
- Yazd version 1.0 (Java, released February 20, 2002, home page)
You can find all about this wonderful project on OWASBWAPA google code page . Thanks to all who developed it !
