Dienstag, 17. Februar 2009
Security in times of the crisis
In times of a world-wide crisis, people reconsider their IT investments. What’s a must-have? What can be postponed? What can be dropped? From a security perspective we say, that security continues to be a must have. Damage occurs whenever people neglected security. And the trend for criminal actions doesn’t go down due to a recession. On the contrary, your competitors take a strong line on your assets. Industrial espionage is a bigger threat than ever. Even internal people will try to take whatever they can in order to foster their advantage in market. Therefore, we recommend: investing in security is a must-have – especially in times of a crisis.
Freitag, 6. Februar 2009
Also IBM States: Custom Developed Applications Pose Great Risk
IBM published its yearly X-Force report. The study verifies a fact that we often see in our security projects: Security defects in custom applications are not on the radar and represent great risk for companies.
"[...] Again, this figure does not take into account custom developed Web applications that may not have had any vulnerability testing and may never see a public vulnerability disclosure to notify the developer of a Web site about vulnerability issues and potential exploitation."
Virtual Forge recommends reading the entire report.
Of course, we also recommend testing custom developed applications regularly and systematically.
"[...] Again, this figure does not take into account custom developed Web applications that may not have had any vulnerability testing and may never see a public vulnerability disclosure to notify the developer of a Web site about vulnerability issues and potential exploitation."
Virtual Forge recommends reading the entire report.
Of course, we also recommend testing custom developed applications regularly and systematically.
Montag, 2. Februar 2009
Testing for Security Vulnerabilities - What are the Standards?
In our projects we are often asked for standard lists of vulnerabilities. The rationale be-hind this question is to ensure that security tests follow industry best-practice. If you don't do this, liability discussions might follow.
For quite some time there are top lists of vulnerabilities that must be avoided in applications. Some focus only on Web applications (OWASP Top 10) and others are industry-specific (e.g. security standard of Payment Credit Card Industry (PCI) or FDA Part 11). The "TOP 25 Most Dangerous Programming Errors" compiled by CVE/SANS is one of the most comprehensive lists today. Review such lists carefully and ensure that well-known issues are addressed in your development projects. You should also ensure that your security tester of choice is aware of such benchmarks.
A final thought - focusing solely on these lists is not sufficient. It's important to extend such a list for dedicated environments like SAP applications. They have some very special properties and specific security demands that are not addressed by generic top lists of vulnerabilities.
For quite some time there are top lists of vulnerabilities that must be avoided in applications. Some focus only on Web applications (OWASP Top 10) and others are industry-specific (e.g. security standard of Payment Credit Card Industry (PCI) or FDA Part 11). The "TOP 25 Most Dangerous Programming Errors" compiled by CVE/SANS is one of the most comprehensive lists today. Review such lists carefully and ensure that well-known issues are addressed in your development projects. You should also ensure that your security tester of choice is aware of such benchmarks.
A final thought - focusing solely on these lists is not sufficient. It's important to extend such a list for dedicated environments like SAP applications. They have some very special properties and specific security demands that are not addressed by generic top lists of vulnerabilities.
Donnerstag, 8. Januar 2009
SAP GUI Vulnerable?
Every once in a while we see public alerts about insecure SAP software. A recent example is a security alert that describes a vulnerability of SAP GUI. We like to highlight that SAP provides a dedicated list of recent security notes: We recommend to monitor this list carefully and implement appropriate countermeasures in a timely manner.
Abonnieren
Posts (Atom)