Few more days and the year 2009 will be behind us. The technology fans are now into movies due to James Cameron's recent masterpiece. As geeks and movie fans (including yours truly) are raving The Avatar, comparing it to no less than "The Jazz Singer" or an iPhone ("Avatar is like the iPhone of movies"), the Imperva blog team thought  that it would be useful to rank and measure the movies that were presented on the Imperva Channel. 

Let's see what will be changed in 2010....

I came across an Oracle eBusiness video demonstrating a full step-by-step reproduction of an attack leading to a remote take over of the administrative interfaces of the Oracle eBusiness system. The vulnerabilities were discovered during a penetration test performed by Hacktics' experts. 

See the notes and interesting video here. 

In my opinion, besides the vulnerabilities, there is a more interesting lesson that we can learn from the researchers comments. The team discovered that different releases of Oracle eBusiness Suite implemented some code-based security solutions to mitigate a certain XSS vulnerability. But Oracle have failed to prevent EVERY possible instance of this XSS vulnerability. I am sure that the developers felt that they were solving the root cause, but in fact they only made it worse since the naïve attacker indeed will not be able to use simple XSS script, but the more sophisticated attacker will still know how to launch a successful XSS attack.

My assumption here is that someone at the product development team at  Oracle discovered the XSS vulnerability (might be using a scanner or manual code review) and “fixed” the problem using “secure” programming, missing some of the other attack vectors, that SecureSphere could easily prevent.

See below from the advisory:

It is important to note that our testing has indicated that different versions have different mitigation levels of this vulnerability, requiring, in some situations, utilizing XSS evasion techniques to overcome certain input validation and sanitation mechanisms:

• For earlier versions, injecting a simple <SCRIPT> suffices:

<SCRIPT>alert(�XSS')<SCRIPT>

• Some versions limit the permitted characters, and thus require the tester to inset Java-script without utilizing tags, by injecting a script into the text box as follows:

");alert('XSS');//

• Later versions appear to also enforce server-side length restrictions on the vulnerable parameters. As a result, multiple separate injections are required to achieve script execution, such as:

");/*

*/alert/*

*/(/*

*/�XSS'/*

*/);//

Not so long ago, Brian Burke from IDC released the world Wide Web Security market analysis for 2008 including predictions and current vendor share. 

According to IDC, the IDC Web Security market includes URL filtering, Web antimalware, Web application firewall, and Web content filtering products. Web security products are deployed on software, appliance, and software-as-a-service (SaaS) platforms. Web security products protect against both inbound (malware) threats and outbound (data leakage) threats. 

I liked this report because it shows how Web Application firewalls (WAF) are related to the Web Security Market yet separated, establishing a stand-alone market. I also liked the risk approach to web security in the Web 2.0 era:

Organizations need to balance the business value of Web 2.0 technologies with the risks and security implications of many nonsecure and uncontrolled Web 2.0 environments The advances in Web 2.0 technologies require a new generation of Web security tools that go well beyond traditional URL filtering.

According to IDC 2008 market share analysis, Imperva is listed high among the large behemoth vendors. Imperva was ranked 3^rd in market share for web application security appliances, second only to McAfee and Blue Coat. Imperva is the largest WAF vendor with most market share (software or appliances) and our WAF market share is actually bigger than the combined share of our competitors. 

Another day: YAPES (Yet Another Painful SQL Injection). This time the victim is Symantec Corporation as discovered by Unu earlier today in his blog. 

Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.

Protecting online applications and data against sophisticated application-level attacks like SQL Injection and Cross-site Scripting should be everyone's concern. Unu shows (again) how simple it is.

ICSA labs released the Product Assurance Report white paper (pdf) earlier this week and sparked a wave of blog posts and comments about the quality of security products.... I believe that ICSA's goal was to highlight the importance of vendor natural certification and create more awareness but IMO they should have explained how the certification process works and the fact that certified products meet every single requirement of the specification. 

I was traveling a lot lately meeting many customers, presenting at 3 4 different events and hosting our quarterly customer advisory board meeting. After talking with dozens of peers, customers and other security industry leaders I came to a conclusion that the landscape is changing. The marketing folks would use the term “paradigm shift”. Yes, ladies and gentleman, we are moving from a compliance-drive world into security.

Years ago, Rich Mogull (still at Gartner) explained to me why organizations in the US buy security. According to his theory (which I verified many times since then) US organizations buy security to

1. Comply with some regulation,
2. Address a security event (in their organization or in a similar institute) Or
3. ...because it is the right thing to do.

If you analyze the reasons, you’ll find that the vast majority tries to comply with different mandates, then they act to fix a problem and only a small part are “doing the right thing” and initiating projects.  Well, it looks like this is changing. More and more organizations are focusing at doing the right things. Even if they are using the compliance budget as the line item.

From a security stand point this is very encouraging.  Goldman Sachs Independent Insight on Technology (Software Security Spending Survey):

“Total security spend grew 12% in 2008, according to IDC, and we expect growth to normalize in 2010-2011 at around 5% after a flat year in 2009.”

 In my opinion the growth will be directed at vendors that will be able to demonstrate how they are helping to “do the right thing” in security. 

My first grade daughter likes to read bedtime stories. The sky is falling is one of them. There must be something in those rhymes... If you are not familiar with the story, here's a short version: The chicken believes the sky is falling down because an acorn falls on her head. She decides to tell the King, and on her journey meets other animals who join her in the quest. In most retellings, the animals all have rhyming names such as Henny Penny, Cocky Lockey and Goosey Loosey. Finally, they come across Foxy Loxy, a fox who offers the chicken and her friends his help. Here, the plot gets a twist and there are many endings... 

Following a question from a prospect, I thought that it would be useful to provide some insight into  our approach for audit and compliance. 

It's that time of the year again. No, I am not writing about the best time in a quarter (which is approaching very fast). It's time for the annual PCI Security Standards Council community meeting. Two years ago the meeting took place in Toronto. Last year in Miami and now in Las Vegas. It is very encouraging to see how the community evolved into a large, influential group. The number of active members and other participants that are passionate about PCI and data protection in general is growing very nicely. As one can imagine, there is a direct correlation between the number of data breaches and compromised credit card records and the number of PCI professionals :-( 

Christopher Novak from Verizon Business provided the (black) color background when he presented the 2009 Data Breach Investigation Report (DBIR), a document that was discussed in detail in different places, including this blog, yet there are some points that should be highlighted as it seems that as PCI gains more momentum we need to continue to educate people about data security challenges:

1. Most breaches and nearly all records stolen are a result of “external sources” activity.
2. 90%+ of breached records attributed to organized crime activity. 
3. Of the 284 million records that were compromised last year, most damages from external sources

(It should be noted however that stats are a funny thing indeed. Conversations I've had with Brian Contos - Imperva's Chief Security Strategist - suggest that a greater number of breaches are actually internally sourced. And if you combine partners along with employees, contractors, etc as  the group considered "insiders" - as they all have elevated levels of trust and access, then the great majority of successful breaches occur from insiders - at least the ones we know about. Brian further suggests that these breaches are a combination of malicious, careless or negligent activity; they aren't all "bad guys."  Finally, Brian sites some stats from InfoSecurityAnalysis.com that show that in many cases - even when the number of attacks from outsiders might be higher, the number of records stolen, and the dollar amounts are much greater when the attack or mistake is from someone within. 

To quote Brian, "When it comes to insiders and outsiders the terms are losing meaning; it's about data security regardless of the source. If we agree that data is valuable and data mostly resides in databases, and we also agree that most users interact with that data via Web applications, then prudence dictates that safeguards be applied at the Web application and database layer."

Okay - so let's get back to Mr. Novack's findings.)