Zero in a bit

Syndicate content
Application Security News, Research and Trends
Updated: 35 min 46 sec ago

VerAfied Feature – Security: the ugly secret at the heart of #eventtech?

Fri, 2014/07/25 - 17:42
This blog post was originally published by GenieConnect at GenieConnect joined the ranks of our VerAfied secure software directory in June of this year using our static binary analysis service. We’re excited to see and supportive of GenieConnect’s decision to make the security of their software and users, a priority. If you’re short of something to do today, try putting mobile security into Google News – you’ll get over 6 million hits. It’s not difficult to see why: in an age of BYOD, the proliferation of tablets and the ever increasing sophistication of smartphones, information is going mobile – and the implications of this are scaring the hell out of people. Industry analyst Gartner claimed that 75 percent of mobile security breaches will result from mobile application misconfiguration. Even the largest app vendors are not immune –Spotify recently required users to update to a new, more secure version of its Android app. Now, how many results would you find if you put ‘event tech’ mobile security into Google news? Well, given the importance of the data stored in native event apps (corporate plans and the personal records of thousands of attendees, for instance) and the debate around the securing of mobile devices, there should be millions, right? Wrong. There’s only seven – and three of them relate to our recent announcement that we were the first #eventtech vendor to achieve the VerAfied security mark. It’s curious, isn’t it? Is there an industry omertà – a code of silence – around this issue? I’m beginning to think so. Earlier this year, TechWeekEurope reported that a mobile app (ironically for the RSA security conference) had “leaked data on thousands of users”. Now, in a hugely competitive industry where companies fight tooth and nail for the slightest competitive advantage, I was expecting a deluge of coverage over this issue as rivals crawled over each other to exploit this flaw. But there was nothing. With hindsight, I think there was an industry-wide sigh of relief, a sense that, “there but for the grace of God go I”; and, thankful that the hackers had chosen to go elsewhere, most event tech vendors put their heads back into the sand. Well, GenieConnect chose not to do this. We knew that achieving VerAfied status would tell the market that we took security seriously. So we submitted our entire platform to the VerAfied testing regime. As our CEO Giles Welch said, “By enlisting the services of Veracode, the world’s most powerful application security platform, we can reassure clients that that our software complies with the highest security standards.” Particularly over the past few months, we’ve seen an increased focus on the security aspects of our solution. In fact, we’ve recently won some major contracts following a global procurement process in which security was a paramount consideration. This issue is clearly not going to go away and, at GenieConnect, we believe that security certification will become the new normal for event tech. So, isn’t it time that we as an industry take our heads out of the sand and embrace this as an opportunity
rather than resisting it as a threat? To find out more about securing your #eventtech solution, download our Best Practice guide.
Categories: Security Posts

Just Another Web Application Breach

Fri, 2014/07/25 - 15:38
Does this resemble your application security program’s coverage? We can help. Another day another web application breach hits the news. This time ITWorld reports Hackers steal user data from the European Central Bank website, ask for money. I can’t say that I’m surprised. Although vulnerabilities (SQL Injection, cross-site-scripting, etc.) are easy for attackers to detect and exploit, they are still very common across many web applications. The survey that we just completed with IDG highlights the problem – 83% of respondents said it was critical or very important to close their gaps in assessing web applications for security issues. However, a typical enterprise:
  • has 804 internally developed web applications
  • plans to develop another 119 web applications with internal development teams over the next 12 months
  • tests only 38% of those web applications for security vulnerabilities
And these numbers don’t include all the web applications that are sourced to third-party software vendors or outsourced development shops. The assessment methodologies for finding web application vulnerabilities aren’t a mystery – we all know about static and dynamic testing. It’s the scale at which web applications must be found, assessed for vulnerabilities and then remediated that makes this difficult for large enterprises. Think about it, 119 applications over the next 365 days means a new web application is deployed on an enterprise web property every 3 days. Is it any wonder that web application breaches keep happening? Learn more about Veracode’s cloud-based service:
Categories: Security Posts

For Java: I Patch, Therefore I Am?

Thu, 2014/07/24 - 19:18
Oracle’s Java platform is so troubled the question is whether to patch it, or kill it off. Oracle Inc. released its latest Critical Patch Update (CPU) on Tuesday of last week, with fixes for 113 vulnerabilities spread across its product portfolio, including 29 for Oracle’s Fusion Middleware, and 20 for the troubled Java platform. The release has prompted a chorus of entreaties to “patch now,” including those from the SANS Internet Storm Center, U.S. CERT and Brian Krebs. A surprising number of them, however, also held out the possibility of not patching Java and, instead, just not using it. This isn’t loose talk. It wasn’t that long ago that the headlines were all about new, critical security holes discovered in Java. Exploits for those vulnerabilities were used in online ‘drive by download’ and ‘watering hole’ attacks aimed at high value targets, including employees at companies like Facebook, Apple and Microsoft. The advice back then was to simply turn Java off – and leave it off – when you browse the web. “Oracle/Java is probably by now one of the most successful charities in the world,” - Daniel Wesemann The furor over Java’s vulnerability subsided – even if the attacks and patches didn’t. Eight of 20 vulnerabilities fixed by Oracle in Java were rated 9.0 or higher on a severity scale of 1-10. One of them, CVE-2014-4227, rated a perfect “10.” All the reported vulnerabilities would allow a remote attacker to exploit the vulnerability without first authenticating (signing in) to the vulnerable system. The difficulty with Java is that it is a technology that is integrated into so many devices and applications – web based and otherwise. Oracle boasts that Java runs on 97% of enterprise desktops and 3 billion mobile phones, as well as countless embedded devices, from “smart” TVs to Blu-ray Disc players. That makes any exploitable vulnerability in Java worth its weight in gold for cyber criminals or nation-state backed hackers. A Java exploit is the key that will unlock just about every door on the Internet. The cost – to society – is large. “Oracle/Java is probably by now one of the most successful charities in the world,” wrote Daniel Wesemann on the SANS Internet Storm Center blog. “It continues to do an outstanding job at enabling significant wealth transfer to support poor cyber criminals and their families.” Java’s time may have come and gone. More than a few of the security experts calling attention to the latest CPU are asking out loud whether it isn’t time to ditch Java altogether. “Patch It or Pitch It” was Mr. Krebs headline – which aptly summed up the feelings of many security experts. Like the owners of an old junker, Java users may look at this latest CPU and ask themselves “is it really worth the trouble to patch?” Widely adopted programs tend to make for more lucrative mines. Where does the blame lie? The truth is that technologies that are widely adopted and deployed almost always attract the attention of cyber criminals. Active X was a popular back in the ‘dotcom’ era. It also became a favorite target of cyber criminals. Over time, that pushed developers and software publishers away from the platform and to alternatives…like Java. Technologies like Java are so ubiquitous that it can be impossible for anyone – individual or a business – to know whether a given product uses a vulnerable component until its too late. But, as competitors like Microsoft have endeavored to make their software update and patching process transparent, Oracle has opted to keep its security process extremely opaque. The company’s monthly CPU releases are massive and stretch across scores of disparate products and platforms. Some vulnerabilities affect multiple products, making it hard to know what’s going on. Researchers who dig for details often come away scratching their head. For the latest patch, Ross Barrett, a security engineer at the firm Rapid7 points out that the top two patches for Oracle Database 12 fix an issue that Oracle patched in an earlier version of the same product a year ago. That would suggest that Oracle either failed to appreciate the reach of the vulnerability last year or knew about it and chose to leave Oracle 12 customers unprotected. Either is troubling. In response, Oracle management – including Chief Security Officer Mary Ann Davidson, are often combative rather than conciliatory. Ms. Davidson recently penned a derisive blog post, “Those that can’t do audit” to cast doubt on the utility of code audits and suggest that large companies like Oracle shouldn’t have to bother with third party audits like the little guys. The message, on security: “trust us.” As the critical vulnerabilities in Java, MySQL and Oracle’s other products mount, however, trust is getting hard to come by.
Categories: Security Posts