On this episode of the Imperva Security Podcast Dr. Larry Ponemon of the Ponemon Institute is interviewed regarding his latest application security survey.

Dr. Ponemon discusses why this survey is so timely given the state of application security. He goes on to discuss some of the statistical findings as well as well as his interpretation of the results. Finally, he outlines what companies that are getting application security done correctly are doing in contrast to those that are missing the mark. 

Dr. Larry Ponemon is the Chairman and Founder of the Ponemon Institute, a research "think tank" dedicated to advancing privacy and data protection practices. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management or RIM framework. 

Dr. Ponemon consults with leading multinational organizations on global privacy management programs. Dr. Ponemon was appointed to the Advisory Committee for Online Access & Security for the United States Federal Trade Commission. He was appointed by the White House to the Data Privacy and Integrity Advisory Committee for the Department of Homeland Security. Dr. Ponemon was also an appointed to two California State task forces on privacy and data security laws. 

Dr. Ponemon earned his Ph.D. at Union College in Schenectady, New York. He has a Master's degree from Harvard University, Cambridge, Massachusetts, and attended the doctoral program in system sciences at Carnegie Mellon University, Pittsburgh, Pennsylvania. Dr. Ponemon earned his Bachelors with Highest Distinction from the University of Arizona, Tucson, Arizona.

On this episode of the Imperva Security Podcast Jeremiah Grossman of WhiteHat Security is interviewed regarding the latest application security survey conducted by the Ponemon Institute.

Jeremiah gives his perspectives on the survey results and details the why and how of the survey's findings: good, bad, and ugly.

Jeremiah Grossman is the founder and CTO of WhiteHat Security. He is considered a world-renowned expert in Web security, is a co-founder of the Web Application Security Consortium, and was named to InfoWorld's Top 25 CTOs for 2007. Grossman is a frequent speaker at industry events and universities around the globe. He has authored dozens of articles and white papers; is credited with the discovery of many cutting-edge attack and defensive techniques and is a co-author of XSS Attacks. Grossman is often quoted in the business and technical press. Prior to WhiteHat, Grossman was an information security officer at Yahoo!

Register here

WEBINAR TOPIC: Staring at the Beast: 6 Months of Attack Vector Research

FEATURED SPEAKERS: Amichai Shulman, chief technology officer, Imperva

DATE & TIME: Wednesday, April 21, 2010 | 11:00 AM (PDT) / 2:00 PM (EDT)

Battles are won by understanding the enemy. Learning the language of today’s cyber community is an important piece to eliminating uncertainties and developing defenses based on real data. According to Sun Tzu, in The Art of War, “If you know the enemy and know yourself, you need not fear the results of a hundred battles.”

How do you get to know your enemy? Immerse yourself in the hacking community.

Imperva's own research organization, the Application Defense Center (ADC), spent the past six months immersing themselves into the cyber hacking world to get to know the unique culture and language of the industrialized attacker. Join Imperva Chief Technology Officer, Amichai Shulman, as he explores the findings of this fascinating study. The session will include:

• An examination of the tools and techniques ADC employed to immerse themselves into the hacking community and collect data first-hand
• An analysis of discovered hacking activity and modern attack vectors
• A look into future ADC data collection measures and analysis capabilities
• Recommendations as to what enterprises can do to protect their data, based on ADC’s observations

Register here

On this episode of the Imperva Security Podcast Terry Ray -- Senior Director for Americas and Asia Pacific Technical Services for Imperva is interviewed.

Terry is a frequent visitor to many parts of Asia. Over the years he has developed a relationship with customers and partners in Asia, giving him a sense for the state of data security, general security trends, and reactions to current security events from an Asian-centric perspective that he can contrast with a North America-centric view. Terry discusses how different regions approach application and database security, current events such as the recent Google attacks in China, and how the Asian community is applying countermeasures to protect their sensitive applications and databases.

Terry Ray is the Senior Director for Americas and Asia Pacific Technical Services for Imperva Inc., a provider of data security solutions. At Imperva, Terry manages teams of security engineers and, has designed and deployed data security solutions, and performed data penetration testing for a wide range of healthcare, financial services, government and eCommerce organizations. Terry has been a frequent speaker for ISSA, OWASP, ISACA, IANS and others in the Americas and abroad.

Prior to joining Imperva, Terry worked in a variety of technical roles at Check Point Software Technology ltd., including security engineering and, partner and end-user technical instruction. Terry has lectured on general network security topics and taught professional security related product certifications in over 35 countries worldwide.

Phishing scams abound.  This isn't anything new; in fact, it's sort of old news. It seems that whenever some tragedy hits, and event of note, or just a famous person gains some extra notice, phishers will gear up and attempt to exploit it.

• Hurricane Katrina
• Obama Survey Gas Card Scam

Enter the U.S. Census. The Census must be an absolute dream for phishers looking to capture personal information. We are being told to divulge data directly by the U.S. government, and that request is being reinforced through radio and TV ads atop a sense of civic duty.

Just keep in mind:

• The Census Bureau does NOT conduct the 2010 Census via the Internet
• The Census Bureau does not send emails about participating in the 2010 Census
• The Census Bureau never:
• • Asks for your full social security number
  • Asks for money or a donation
  • Sends requests on behalf of a political party
  • Requests PIN codes, passwords or similar access information for credit cards, banks or other financial accounts

Also - if you feel you are being scammed - tell them.  Forward the email or web site URL to the Census Bureau at ITSO.Fraud.Reporting@census.gov.

The best advice:  be skeptical. For more pragmatic steps on protecting yourself from phishing steps, do some Google searches, there is plenty of info. Here is one such resource.

 

So this blog is usually about data security, and security related topics - "usually."  However, I've been known on occasion to sneak in a video or two of spicy food challenges from around the globe. Up until now, the link between security and spicy food has been opaque.  That has all just changed with the Indian military making a weapon out of the Ghost Chili -- (which I'm eating it here). 

"This is definitely going to be an effective nontoxic weapon because its pungent smell can choke terrorists and force them out of their hide-outs," R. B. Srivastava, the director of the Life Sciences Department at the New Delhi headquarters of the DRDO said.

I for one am in favor of any weapon that can double as a seasoning.

  

This interview is in Brazilian Portuguese; the transcripts are in English and Portuguese. 

 

Marcelo Roberto Ribeiro, CTO of Imperva WAF customer Catho Online in Brazil, discusses the importance of Web application security for one of the largest job-search websites in South America.

Catho Online is the largest job-search website in South America, and one of the top 15 in the world. It is the market leader in its segment. With the slogan "your success is our business", the company's main objective is to facilitate hiring processes, as a liaison those looking for new challenges with hiring companies. 

Marcelo Roberto Ribeiro has been the CTO at Catho Online since 2007. His goal is to turn Catho's network and security infrastructure into a high-availability, cutting-edge technology environment, meant to work like the major internet providers, focused on availability, performance, integrity, security and professionalism. 

Marcelo has over 25 years of experience in Information Technology, majored in Information Technology and Business Administration, and has experience working in different industries: Internet Service Provider, Telecom Operator, Pulp and Paper, Oil, and others. 

On March 17th 2010 I'll be presenting at Enterprise Data World in San Francisco at 11:00 AM. This is an executive-level event with a 100% focus on leveraging data strategically.

Enterprise Data World is the business world’s most comprehensive vendor-neutral educational event about data and information management. This year’s program will be bigger than ever before, with more sessions, more case studies, and more can’t-miss content. Join us in San Francisco in March 2010 for 200 hours of in-depth tutorials, hands-on workshops, practical sessions and insightful keynotes to take you to the forefront of your industry.

You can check out the agenda here.

Hope to see you there.

On this episode of the Imperva Security Podcast Eldad Chai -- Imperva Web Application Firewall Product Manager, is interviewed.

Eldad talks about adding reputation to an application security strategy, anti-automation, and adaptive response.

He goes into detail on Imperva's ThreatRadar solution- what it is, how it's used, and what customers can expect to gain from it. He covers specific threat examples such as automated attacks and business logic attacks and how they can be addressed beyond blocking and alerting with capabilities such as CAPTCHA, challenge-response, redirection and more.

Related information

Next Generation Web Application Firewalls

• NG-WAF Whitepaper
• NG-WAF Podcast

Industrialization of Hacking

• Industrialization of Hacking Whitepaper

 

 

RSA San Francisco 2010

On Thursday, March 04 08:00 AM Tall Beery (Imperva Web Research Team Leader) and I will be presenting the topic:  Tell Me Your IP and I’ll Tell You Who You Are.  The RSA ID is NMS-301 and it will be in Orange Room #306.

Abstract 

IP addresses are considered an unreliable method for attack detection. The session demonstrates how information derived from IP addresses can be used to improve attack detection capabilities. The presentation discusses attributes such as Geo Location, Anonymous Proxy lists etc. The presentation is supported by corroborative evidence derived from actual log data and demonstrates some analysis tools.

 

 Stop by our booth at RSA