Imperva has announced Incapsula. The cloud-based, web application firewall service gives small businesses an easy and affordable way to manage website security and performance for any domain that they own, even if it's hosted by a third party. For hosting and other service providers, Incapsula enables website security to be extended to an entire customer base.  Imperva will resell this service to complement Incapsula’s own sales efforts.

Marc Gaffan, Incapsula's Vice President of Marketing and Business Development, has written a blog post detailing the need for a WAF service. The post is featured below.

The Ford Model T of Web Application Security

Consider these not-so hypothetical scenarios:

• I write a non controversial cooking blog with 5000 monthly readers - Why would anyone hack my website?
• I am a small online merchant who doesn't even store credit card data - Why would anyone hack my website?
• It’s not connected to any backend systems with access to sensitive data - Why would anyone hack my company’s website? 

Plenty of small businesses experience hacking.  The reason is simple: it’s easy, practically free and the chances of getting caught are slim to none.

These days, regardless of your size, purpose or nature, if humans can find your website - so will the hackers. With the cost of launching an automated attack on thousands of sites being negligible and the chances of getting caught so slim – even the smallest benefit, makes it a viable proposition.

For hackers, the benefits of attacking SMB websites include:

• Distribution of malware by infecting an innocent website.
• Gaining information that can be used to launch even better attacks (like a simple email address list). Inserting links to your site to improve their search rankings.
• Have bots click on ads to drain a competitor’s marketing budget. 

These are the reasons why we founded Incapsula - Incapsula was spun out of and is backed by Imperva to help websites of any size adopt enterprise grade application security or as someone elegantly put it “Be the Ford Model T of Web Application Security”.  

Why a Model T?  According to Wikipedia, “The Ford Model T is generally regarded as the first affordable automobile, the car that opened travel to the common middle-class American”.

Back in July, when our first Alpha users started adding their sites to the service, we saw it happen for the first time: A real Distributed SQL Injection Attack on a small and innocent website. That’s when we got our first customer thank you and knew we were on to something. 


 
Three bots, come out of nowhere and within two minutes, executed a series of SQL Injection attacks.

Incapsula is a new cloud-based service that makes websites safer, faster and more reliable. Adding a website to Incapsula is a simple five-minute process that does not require installation of hardware or software, just a simple DNS change. The service offers an enterprise-grade, web application firewall to safeguard sites from the latest threats, a network of globally distributed servers to speed-up the delivery of the site across the globe and an array of performance monitoring and analytics tools to provide website owners with the best insight on how to improve the delivery of the site. Try it out at http://www.incapsula.com/.

Next post in Imperva's Cloud Security blog series: Meet the New Boss, Sort of the Same as the Old Boss

Few more days and the year 2009 will be behind us. The technology fans are now into movies due to James Cameron's recent masterpiece. As geeks and movie fans (including yours truly) are raving The Avatar, comparing it to no less than "The Jazz Singer" or an iPhone ("Avatar is like the iPhone of movies"), the Imperva blog team thought  that it would be useful to rank and measure the movies that were presented on the Imperva Channel. 

Let's see what will be changed in 2010....

I came across an Oracle eBusiness video demonstrating a full step-by-step reproduction of an attack leading to a remote take over of the administrative interfaces of the Oracle eBusiness system. The vulnerabilities were discovered during a penetration test performed by Hacktics' experts. 

See the notes and interesting video here. 

In my opinion, besides the vulnerabilities, there is a more interesting lesson that we can learn from the researchers comments. The team discovered that different releases of Oracle eBusiness Suite implemented some code-based security solutions to mitigate a certain XSS vulnerability. But Oracle have failed to prevent EVERY possible instance of this XSS vulnerability. I am sure that the developers felt that they were solving the root cause, but in fact they only made it worse since the naïve attacker indeed will not be able to use simple XSS script, but the more sophisticated attacker will still know how to launch a successful XSS attack.

My assumption here is that someone at the product development team at  Oracle discovered the XSS vulnerability (might be using a scanner or manual code review) and “fixed” the problem using “secure” programming, missing some of the other attack vectors, that SecureSphere could easily prevent.

See below from the advisory:

It is important to note that our testing has indicated that different versions have different mitigation levels of this vulnerability, requiring, in some situations, utilizing XSS evasion techniques to overcome certain input validation and sanitation mechanisms:

• For earlier versions, injecting a simple <SCRIPT> suffices:

<SCRIPT>alert(�XSS')<SCRIPT>

• Some versions limit the permitted characters, and thus require the tester to inset Java-script without utilizing tags, by injecting a script into the text box as follows:

");alert('XSS');//

• Later versions appear to also enforce server-side length restrictions on the vulnerable parameters. As a result, multiple separate injections are required to achieve script execution, such as:

");/*

*/alert/*

*/(/*

*/�XSS'/*

*/);//

Not so long ago, Brian Burke from IDC released the world Wide Web Security market analysis for 2008 including predictions and current vendor share. 

According to IDC, the IDC Web Security market includes URL filtering, Web antimalware, Web application firewall, and Web content filtering products. Web security products are deployed on software, appliance, and software-as-a-service (SaaS) platforms. Web security products protect against both inbound (malware) threats and outbound (data leakage) threats. 

I liked this report because it shows how Web Application firewalls (WAF) are related to the Web Security Market yet separated, establishing a stand-alone market. I also liked the risk approach to web security in the Web 2.0 era:

Organizations need to balance the business value of Web 2.0 technologies with the risks and security implications of many nonsecure and uncontrolled Web 2.0 environments The advances in Web 2.0 technologies require a new generation of Web security tools that go well beyond traditional URL filtering.

According to IDC 2008 market share analysis, Imperva is listed high among the large behemoth vendors. Imperva was ranked 3^rd in market share for web application security appliances, second only to McAfee and Blue Coat. Imperva is the largest WAF vendor with most market share (software or appliances) and our WAF market share is actually bigger than the combined share of our competitors. 

Another day: YAPES (Yet Another Painful SQL Injection). This time the victim is Symantec Corporation as discovered by Unu earlier today in his blog. 

Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.

Protecting online applications and data against sophisticated application-level attacks like SQL Injection and Cross-site Scripting should be everyone's concern. Unu shows (again) how simple it is.

ICSA labs released the Product Assurance Report white paper (pdf) earlier this week and sparked a wave of blog posts and comments about the quality of security products.... I believe that ICSA's goal was to highlight the importance of vendor natural certification and create more awareness but IMO they should have explained how the certification process works and the fact that certified products meet every single requirement of the specification. 

I was traveling a lot lately meeting many customers, presenting at 3 4 different events and hosting our quarterly customer advisory board meeting. After talking with dozens of peers, customers and other security industry leaders I came to a conclusion that the landscape is changing. The marketing folks would use the term “paradigm shift”. Yes, ladies and gentleman, we are moving from a compliance-drive world into security.

Years ago, Rich Mogull (still at Gartner) explained to me why organizations in the US buy security. According to his theory (which I verified many times since then) US organizations buy security to

1. Comply with some regulation,
2. Address a security event (in their organization or in a similar institute) Or
3. ...because it is the right thing to do.

If you analyze the reasons, you’ll find that the vast majority tries to comply with different mandates, then they act to fix a problem and only a small part are “doing the right thing” and initiating projects.  Well, it looks like this is changing. More and more organizations are focusing at doing the right things. Even if they are using the compliance budget as the line item.

From a security stand point this is very encouraging.  Goldman Sachs Independent Insight on Technology (Software Security Spending Survey):

“Total security spend grew 12% in 2008, according to IDC, and we expect growth to normalize in 2010-2011 at around 5% after a flat year in 2009.”

 In my opinion the growth will be directed at vendors that will be able to demonstrate how they are helping to “do the right thing” in security. 

My first grade daughter likes to read bedtime stories. The sky is falling is one of them. There must be something in those rhymes... If you are not familiar with the story, here's a short version: The chicken believes the sky is falling down because an acorn falls on her head. She decides to tell the King, and on her journey meets other animals who join her in the quest. In most retellings, the animals all have rhyming names such as Henny Penny, Cocky Lockey and Goosey Loosey. Finally, they come across Foxy Loxy, a fox who offers the chicken and her friends his help. Here, the plot gets a twist and there are many endings... 

Following a question from a prospect, I thought that it would be useful to provide some insight into  our approach for audit and compliance.