Business Logic Attacks

Here is a link to Eladad's video.

Here is a link to the presentation in PDF.

On this episode of the Imperva Security Podcast Amichai Shulman – CTO and Co-founder of Imperva talks about SQL Injection. He discusses how these attacks are preformed, why they are so pervasive, why signature detection doesn't work, and how to mitigate these attacks.

To see various SQL Injection Attacks in action, check out our educational video demonstrations on YouTube.

For more information on SQL Injection Attacks - visit the Imperva Glossary. 

Almost 18 months I wrote this white paper and then forgot all about until today when I found out that it is actually used internally. It uses some marketing lingo but nothing exceptional or unaccepted. 

So, here it is, enjoy.

On this episode of the Imperva Security Podcast Dr. Anton Chuvakin shares his perspectives on PCI, vulnerability scanning, compliance, and general security trends.

• The podcast can be found here.
• The transcript can be found here.

Dr. Anton Chuvakin (http://www.chuvakin.org) is the Director of PCI Compliance Solutions at Qualys and is a recognized security expert and book author. He is an author of the book "Security Warrior" and a contributor to books such as "Know Your Enemy II", "Information Security Management Handbook", "Hacker's Challenge 3", "PCI Compliance", "OSSEC HIDS" and others. Anton also published numerous papers on a broad range of security subjects. In his spare time he blogs at http://www.securitywarrior.org. Anton has presented at many security conferences across the world; his recent speaking engagements include presenting in the United States, UK, Singapore, Spain, Canada, Poland, Czech Republic, Russia and other countries. Anton holds a Ph.D. degree from Stony Brook University.

Verisign iDefense reports that the web sites of The White House, the Department of Homeland Security, the Department of Defense and the Federal Aviation Administration as well as The New York Stock Exchange, NASDAQ, and The Washington Post were under attack for few days. InformationWeek reports that the attack attempts to flood  the web servers with initial requests to connect managed to temporarily take down some  web sites. 

Using Cenzic's Cloud Computing Product you can forward reports to developers or even give them dashboard access to help address vulnerabilities found by Cenzic. However, there may be business, political, and/or technical reasons why a vulnerability can not be addressed as soon as discovered. Until that vulnerability is fixed, Imperva integration allows a seamless export of Cenzic data into the Imperva Web Application Firewall (WAF) and will immediately begin monitoring, alerting and/or blocking attacks aimed at exploiting those vulnerabilities. 

Here are some screen shots of this process in action

• http://www.cenzic.com/products/saas/ctsARC/
• http://www.cenzic.com/images/products/cts/04screenshot.jpg

This is another great example of the unification of WAF & VA and helps to illustrate the evolution and maturity of the application and data security industry by bringing together solutions (WAF & VA) that were once seen as competitive rather than complementary.

This is a continuation of multiple educational video demonstrations related to Web application attacks. This video is focused on Script Injection and touches on session hijacking; it should be viewed as a prerequisite to the Cross-site Scripting (XSS) demonstration video which will drop soon.

Starting next week Imperva will be featuring a new blog with lots of new capabilities that we simply didn't know we needed, we wanted, were relevant a year ago. Our new blog will have greater integration with our Web 2.0 program and leverage services such as Twitter, Facebook, YouTube, iTunes and many others in a more streamlined and symbiotic format.

From an organizational perspective - this is an interesting time for those in marketing. What services should be used, how do you know if they are successful, how do they promote each other without becoming repetitive, how does this tie into more traditional tasks like lead generation, press releases, product marketing, etc, etc.

Each of the Web 2.0 services mentioned above has its strengths, and it's clear - at least right now, that the blog still acts as the focus point, but with plenty of other interesting services out there, and the dynamic nature of 2.0, blogs of tomorrow may be as far from blogs of today, as blogs of today are from the "olden days" when people actually got their news with a 24-hour delay, printed on paper, and delivered by your neighbor's kids on a bicycle.