Application-Security-News-Thumbnail

What’s HOT in Application Security Vol #2

Feb 28, 2012 By Administrator

Mobile banking threats

Millions of consumers are currently using mobile banking – which is expected to be the next major target for hackers. As banks are focusing resources in securing mobile applications, two important precautions developers must take into account include:

1) Supervising cross-channel fraud

2) Inspect possible risks services and platforms before they are launched

For more information please go to:

http://www.bankinfosecurity.com/interviews.php?interviewID=1379

SQL Injection is one of the top three causes of security breaches

SQL injection is well over a ten years old concept so, thankfully, our methods of dealing with it are relatively well adapted.

The main way to overcome SQL injection is to teach developers secure coding practices and to use a code analysis tool to search for the vulnerabilities in the development stage.

For more information please go to:
http://www.cso.com.au/article/416155/top_three_causes_security_breaches_part_2_2/#closeme

Identity of News of the world Hacker has been revealed
following court block lifting

The infamous News of the world hacker has been identified as former British Army Intelligence Officer Phillip Smith. For a three month period Mr Smith had complete access to all of the newspapers internal e-mails, social medias, hard drive- even the computer’s webcam.
Smith recently pled guilty to conspiracy to commit fraud by illegally obtaining private information not belonging to him and is expected to be handed down a very lengthy sentence.

For more information please go to:  http://www.theregister.co.uk/2012/02/21/notw_computer_hacker_named/

Web Application Security

It turns out that websites are being attacked 18 times an hour, hackers are attacking on an average of 38,000 attacks per hour and 10 attacks per second. According to the, Web Application Attack Report that was based on 40 different web application attacks, the most common forms of attacks are remote file inclusion (RFI), SQL injection (SQLi), local file inclusion (LFI), cross site scripting(XSS), directory traversal (DT) and business logic attacks.

For more information please go to:

http://www.techsecuritytoday.com/index.php/our-contributors/michael-vizard/entry/calculating-your-web-application-security-odds

 Juniper Networks > Mykonos

Juniper Networks recently purchased security firm Mykonos software for a suspected 80million dollars; the firm now wish to create a brand for themselves defending so called ‘zero-day attacks”. This kind of attack is responsible for one percent of cyber attacks but last year affected more than 700 large companies. Defending such attacks is done by sending an alert each time such vulnerabilities are detected.

For more information please go to:

http://www.v3.co.uk/v3-uk/news/2154617/juniper-snaffles-web-application-security-firm-mykonos-usd80m

Preventing software vulnerabilities

How can we prevent today’s most sophisticated software vulnerabilities? Most of today’s IT professionals will agree that securing the source code of the application and hardening the operation system is essential but not enough.

  • Application Whitelisting – limiting the influence or the application.
  • Eliminating admin rights on all general user accounts and higher functionality to all but a few admin accounts.
  • Implementing privileges to software, rather than users.

For more information please go to:

http://www.businesscomputingworld.co.uk/non-microsoft-software-is-responsible-for-growth-in-vulnerabilities/

Attempted hack on Vatican website reveals hacking group methods and proves need for greater web application security

The attack didn’t harm any data or any aspect of the website but demonstrated a clear patch which hackers are taking; the first of which is drumming up support using facebook, twitter etc to prove such a hack as justified. The second phase involved a number of hackers who used typical weak point assessment tools, searching for gaps in the security and then to launch actual attacks, like SQL injection- with the desire to extract data from the ‘victim’. When the attacks were unsuccessful, the hackers then attempted to drum up support from others to carry out a DDoS attack.

For more information please go to:

http://www.pcadvisor.co.uk/news/security/3340849/anatomy-of-anonymous-attack-laid-bare-by-imperva/

Web applications and the hackers- deception in cyber space?

Cyber warfare has been a very long standing threat- with its ‘soldiers’ employing deceptive tactics such as social engineering customer support employees to install Trojans or even give out customer information. If this sort of deceit can be used to attack web applications, can this deceit be used to protect it?
The web application is the most penetrable face of any organization and there are many reasons why they are so popular with hackers. The first being- the sheer number of them- with so many, one has a choice and in turn, more chance of penetrating the ‘victims’ application. Secondly- all the code is public! This is like giving a potential hacker the quickest pathway to extract vital information from an organization. The thirdly the web application is generally the most undefended one. Fourthly- the level of knowledge and hacking expertise required to extract information from web applications is pretty low. The fifth and final reason it is an easy weakness because web applications are static.

For more information please go to:
http://www.scmagazine.com/deception-and-the-art-of-cyber-security/article/229685/

Million dollar prize offered for anyone able to expose vulnerabilities google chrome

Google reckons they’ve set the bar on security and they’re so convinced of this they are willing to offer a $1,000,000 prize to anyone who can expose a security flaw. This is a nice marketing technique but internet mega giant google could afford to lose this many hundreds of times over without so much as a dimple to their piggy bank. Google originally offered a $20,000 prize to anyone able to expose their weaknesses but in February, raised the bar again on this offer.

For more information please go to: http://www.informationweek.com/news/security/vulnerabilities/232601668

The following two tabs change content below.

Administrator

Latest posts by Administrator (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.