Blog|Login|Chinese German Japanese|Follow @imperva
190 posts categorized "Guest Bloggers"
December 06, 2010
 Imperva Launches Spin-out Incapsula, Cloud-Based WAF Service

Imperva has announced Incapsula. The cloud-based, web application firewall service gives small businesses an easy and affordable way to manage website security and performance for any domain that they own, even if it's hosted by a third party. For hosting and other service providers, Incapsula enables website security to be extended to an entire customer base.  Imperva will resell this service to complement Incapsula’s own sales efforts.

Marc Gaffan, Incapsula's Vice President of Marketing and Business Development, has written a blog post detailing the need for a WAF service. The post is featured below.

 

The Ford Model T of Web Application Security

Consider these not-so hypothetical scenarios:

  • I write a non controversial cooking blog with 5000 monthly readers - Why would anyone hack my website?
  • I am a small online merchant who doesn't even store credit card data - Why would anyone hack my website?
  • It’s not connected to any backend systems with access to sensitive data - Why would anyone hack my company’s website? 

Plenty of small businesses experience hacking.  The reason is simple: it’s easy, practically free and the chances of getting caught are slim to none.

These days, regardless of your size, purpose or nature, if humans can find your website - so will the hackers. With the cost of launching an automated attack on thousands of sites being negligible and the chances of getting caught so slim – even the smallest benefit, makes it a viable proposition.

For hackers, the benefits of attacking SMB websites include:

  • Distribution of malware by infecting an innocent website.
  • Gaining information that can be used to launch even better attacks (like a simple email address list). Inserting links to your site to improve their search rankings.
  • Have bots click on ads to drain a competitor’s marketing budget. 

These are the reasons why we founded Incapsula - Incapsula was spun out of and is backed by Imperva to help websites of any size adopt enterprise grade application security or as someone elegantly put it “Be the Ford Model T of Web Application Security”.  

Why a Model T?  According to Wikipedia, “The Ford Model T is generally regarded as the first affordable automobile, the car that opened travel to the common middle-class American”.

Back in July, when our first Alpha users started adding their sites to the service, we saw it happen for the first time: A real Distributed SQL Injection Attack on a small and innocent website. That’s when we got our first customer thank you and knew we were on to something. 

 Incapsula
 
Three bots, come out of nowhere and within two minutes, executed a series of SQL Injection attacks.

 

Incapsula is a new cloud-based service that makes websites safer, faster and more reliable. Adding a website to Incapsula is a simple five-minute process that does not require installation of hardware or software, just a simple DNS change. The service offers an enterprise-grade, web application firewall to safeguard sites from the latest threats, a network of globally distributed servers to speed-up the delivery of the site across the globe and an array of performance monitoring and analytics tools to provide website owners with the best insight on how to improve the delivery of the site. Try it out at http://www.incapsula.com/.

 

Next post in Imperva's Cloud Security blog series: Meet the New Boss, Sort of the Same as the Old Boss

 

December 21, 2009
 The Imperva Movie Hits

Few more days and the year 2009 will be behind us. The technology fans are now into movies due to James Cameron's recent masterpiece. As geeks and movie fans (including yours truly) are raving The Avatar, comparing it to no less than "The Jazz Singer" or an iPhone ("Avatar is like the iPhone of movies"), the Imperva blog team thought  that it would be useful to rank and measure the movies that were presented on the Imperva Channel


Since it was first launched in March 2009, The Imperva Channel served 35 videos to more than  22,400 viewers. 

By far, the most popular topic was SQL Injection. This is not surprising since SQL injection is the #1 attack vector against web applications. At this time, 3,257 have learned about SQL injection from this movie.  Cross Site Scripting (XSS) came in second. 2,448 learned about the problem of Cross Site Scripting and how Imperva can help to mitigate the risk. Database hacking demo came in 3rd with 2191 views. 


Let's see what will be changed in 2010....

The avatar



 

December 16, 2009
 Oracle eBusiness Suite hacking and a Lesson about WAF vs. Secure Coding

I came across an Oracle eBusiness video demonstrating a full step-by-step reproduction of an attack leading to a remote take over of the administrative interfaces of the Oracle eBusiness system. The vulnerabilities were discovered during a penetration test performed by Hacktics' experts. 

See the notes and interesting video here

In my opinion, besides the vulnerabilities, there is a more interesting lesson that we can learn from the researchers comments. The team discovered that different releases of Oracle eBusiness Suite implemented some code-based security solutions to mitigate a certain XSS vulnerability. But Oracle have failed to prevent EVERY possible instance of this XSS vulnerability. I am sure that the developers felt that they were solving the root cause, but in fact they only made it worse since the naïve attacker indeed will not be able to use simple XSS script, but the more sophisticated attacker will still know how to launch a successful XSS attack.


My assumption here is that someone at the product development team at  Oracle discovered the XSS vulnerability (might be using a scanner or manual code review) and “fixed” the problem using “secure” programming, missing some of the other attack vectors, that SecureSphere could easily prevent.


See below from the advisory:

It is important to note that our testing has indicated that different versions have different mitigation levels of this vulnerability, requiring, in some situations, utilizing XSS evasion techniques to overcome certain input validation and sanitation mechanisms:

  • For earlier versions, injecting a simple <SCRIPT> suffices:

<SCRIPT>alert(�XSS')<SCRIPT>

  • Some versions limit the permitted characters, and thus require the tester to inset Java-script without utilizing tags, by injecting a script into the text box as follows:

");alert('XSS');//

  • Later versions appear to also enforce server-side length restrictions on the vulnerable parameters. As a result, multiple separate injections are required to achieve script execution, such as:

");/*

*/alert/*

*/(/*

*/�XSS'/*

*/);//

 

 

December 15, 2009
 Market Share Information from IDC

Not so long ago, Brian Burke from IDC released the world Wide Web Security market analysis for 2008 including predictions and current vendor share. 

According to IDC, the IDC Web Security market includes URL filtering, Web antimalware, Web application firewall, and Web content filtering products. Web security products are deployed on software, appliance, and software-as-a-service (SaaS) platforms. Web security products protect against both inbound (malware) threats and outbound (data leakage) threats. 

I liked this report because it shows how Web Application firewalls (WAF) are related to the Web Security Market yet separated, establishing a stand-alone market. I also liked the risk approach to web security in the Web 2.0 era:

Organizations need to balance the business value of Web 2.0 technologies with the risks and security implications of many nonsecure and uncontrolled Web 2.0 environments The advances in Web 2.0 technologies require a new generation of Web security tools that go well beyond traditional URL filtering.

According to IDC 2008 market share analysis, Imperva is listed high among the large behemoth vendors. Imperva was ranked 3rd in market share for web application security appliances, second only to McAfee and Blue Coat. Imperva is the largest WAF vendor with most market share (software or appliances) and our WAF market share is actually bigger than the combined share of our competitors. 

 

November 23, 2009
 YAPES...

Another day: YAPES (Yet Another Painful SQL Injection). This time the victim is Symantec Corporation as discovered by Unu earlier today in his blog

If you are unfamiliar with Unu, Risky Biz provided some commentary pointers.  

Most recently Unu made waves by claiming to have hacked BarackObama.com, a claim disputed by the Democratic National Committee's national press secretary Hari Sevugan.


Looking through the screenshots Unu's findings look authentic to me. Whether you think that Northwind database is important to Symantec or was just left from a default database installation, Unu's findings proves again that SQL injection can hit everyone, everywhere at any time. Taking active measures should be a top priority. 

More then ever, Injection attacks in general and especially SQL Injection are the most serious threat to web application. It is now listed at #1 threat on the OWASP top 10 list (see OWASP Top 10 Application Security Risks –2010 RC1 here

Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.

Protecting online applications and data against sophisticated application-level attacks like SQL Injection and Cross-site Scripting should be everyone's concern. Unu shows (again) how simple it is.

 

November 19, 2009
 Certification Matters

ICSA labs released the Product Assurance Report white paper (pdf) earlier this week and sparked a wave of blog posts and comments about the quality of security products.... I believe that ICSA's goal was to highlight the importance of vendor natural certification and create more awareness but IMO they should have explained how the certification process works and the fact that certified products meet every single requirement of the specification. 


Take the following statement for example:  

The report findings suggest that some vendors and enterprise users consider logging a nuisance and merely a “box to check.”  According to the report, logging is a particular challenge for firewalls.  Almost every network firewall (97 percent) or Web application firewall (80 percent) tested experienced at least one logging problem.

Dozens of vendors have certified network and Web Application firewall products. In order to attain ICSA Labs Certified status, web application firewall products must pass a rigorous set of functional, performance and platform security requirements.  Candidate web application firewall products must completely satisfy the entire set of baseline requirements. Only products that passed all the tests are certified. 

The list of comprehensive specification is created by a consortium of vendors and the ICSA. from my experience working with ICSA (I am involved in the Web Application Firewall consortium that creates the WAF certification criteria and previously I was involved in the Network Firewall consortium) the requirements set a very high standard. (Check the pdf yourself).  
.
In my opinion, this report proves that certified products have higher quality and it also shows the importance of  certified products for the enterprise. 

Here's what ICSA advised enterprise companies before purchasing and using security products: 
  • Demand quality.  
  • Be suspicious of performance claims and numbers.  Vet them.  Question them.  Be an educated, cautious buyer. 
  • Choose more established products over new.  
  • Choose simplicity over complexity.
  • Use certified products!  
  • Prefer vendors that certify their products, and that participate in industry and ICSA Labs consortia and other standards bodies.  

 

November 02, 2009
 The State of Security: Doing The Right Thing

Do the right thing

I was traveling a lot lately meeting many customers, presenting at 3 4 different events and hosting our quarterly customer advisory board meeting. After talking with dozens of peers, customers and other security industry leaders I came to a conclusion that the landscape is changing. The marketing folks would use the term “paradigm shift”. Yes, ladies and gentleman, we are moving from a compliance-drive world into security.

Years ago, Rich Mogull (still at Gartner) explained to me why organizations in the US buy security. According to his theory (which I verified many times since then) US organizations buy security to

  1. Comply with some regulation,
  2. Address a security event (in their organization or in a similar institute) Or
  3. ...because it is the right thing to do.

 

If you analyze the reasons, you’ll find that the vast majority tries to comply with different mandates, then they act to fix a problem and only a small part are “doing the right thing” and initiating projects.  Well, it looks like this is changing. More and more organizations are focusing at doing the right things. Even if they are using the compliance budget as the line item.

From a security stand point this is very encouraging.  Goldman Sachs Independent Insight on Technology (Software Security Spending Survey):

“Total security spend grew 12% in 2008, according to IDC, and we expect growth to normalize in 2010-2011 at around 5% after a flat year in 2009.”

 In my opinion the growth will be directed at vendors that will be able to demonstrate how they are helping to “do the right thing” in security. 

 

October 26, 2009
 Web Security at CSI Annual Conference
I'm participating in a panel discussion today moderated by Judy Baltensperger, Wareonearth Communications Inc. and Rafal Los from HP Application Security Center. 

Morphing more business functions into Web 2.0 applications offers both irresistible business opportunities and undeniable security threats. Criminals are using the Web as an attack vector and crafting more sophisticated, exceptionally targeted attacks. Yet who needs to exploit vulnerabilities when there are plenty of malicious ways to use legitimate applications,  like social networking sites and microblogs. And what about the browser? A browser is in a position to both protect the local device from Web-borne threats and thwart attacks that take place solely within the Web—but are current browsers proactively shouldering their security responsibilities? Learn how to both secure your organization’s own Web site and protect your sensitive data from attacks launched from other vulnerable Web sites. Get to know the Web-based threats of today and tomorrow, and explore what next-generation security tools could live up to the promise of revolutionizing Internet security.   

If you are at the audience, come and say hello... 

 

October 12, 2009
 The Cloud Is Falling? Not

My first grade daughter likes to read bedtime stories. The sky is falling is one of them. There must be something in those rhymes... If you are not familiar with the story, here's a short version: The chicken believes the sky is falling down because an acorn falls on her head. She decides to tell the King, and on her journey meets other animals who join her in the quest. In most retellings, the animals all have rhyming names such as Henny Penny, Cocky Lockey and Goosey Loosey. Finally, they come across Foxy Loxy, a fox who offers the chicken and her friends his help. Here, the plot gets a twist and there are many endings... 

After this point, there are many endings. In the most famous one, Foxy Loxy eats the chicken's friends, but the last one, usually Cocky Lockey, survives long enough to warn the chicken and she escapes. Other endings include Foxy eating them all; the characters being saved by a squirrel or an owl and getting to speak to the King; the characters being saved by the King's hunting dogs; even one version in which the sky actually falls and kills Foxy Loxy.

Last week, the sky (or the clouds) fell fail. T-Mobile and Microsoft had a disaster that results in many customers using an online backup service losing their data for ever (ironic, I know...)


So now everyone (almost...) talks about the problems of cloud computing, why it should not be used and fingers are getting pointed.  

If you read this blog regularly you know that I'm a great risk management believer. Protecting assets and data without proper risk assessment will lead to catastrophe. Using online backup service requires the same attention and anyone that really cares about his data will use multiple backup methods (think "defense in depth"). Having said that, while this failure is indeed epic, it cannot and should not be used against "cloud computing as a whole". It happened, now let's move on and make sure that our data (no matter where it is located) is safe.

Going back to the story, depending on the version, the moral changes. In the "happy ending" version, the moral is not to be a "Chicken", but to have courage. In other versions the moral is usually interpreted to mean "do not believe everything you are told". In the latter case, it could well be a cautionary political tale: The Chicken jumps to a conclusion and whips the populace into mass hysteria, which the unscrupulous fox uses to manipulate them for his own benefit, sometimes as supper. 

Even my first grade daughter gets that. 
Henny Penny says that the sky is falling

 

September 25, 2009
 SecureSphere's Approach to Audit & Compliance - Enter COBIT

SecureSphere report

Following a question from a prospect, I thought that it would be useful to provide some insight into  our approach for audit and compliance. 


"SecureSphere addresses different business requirements based on its ability to secure and monitor transactions from the end user through the Web application to the database. SecureSphere offers complete data security and visibility: SecureSphere can identify the unique application users that performed database queries—even in multi-tier environments. This Universal User Tracking capability provides user accountability to database audit trails and compliance reports".


Different compliance regulations require monitoring of users and/or privileged users and administrators: understanding how they behave, what they do, what kind of data they were accessing and what actually was reviewed.  

In order to address the many compliance requirements, SecureSphere is using the COBIT framework for reporting:

The Control Objectives for Information and related Technology (COBIT) is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1996. COBIT provides managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company. (source: wiki)


Using a single, well-known industry standard as a framework provide multiple benefits:
  1. Organizations can easily integrate SecureSphere into their existing audit and compliance projects using consistent reporting.
  2. SecureSphere administrator can add additional reports based on business requirements (even though SecureSphere ships with a library of several hundred reports...).   
  3. Adding out-of-the-box support for additional compliance mandates is  straightforward.  
And above all, ISACA is doing an excellent job in training so ensuring that SecureSphere is using a well defined and well known framework is also essential for establishing it as a standard tool for data activity monitoring, data security and compliance.