The HP Security Laboratory Blog articles

Top 10 Web Application Vulnerabilities November 2011

markpainter — Thu, 01 Dec 2011 21:36:04 GMT

1) HP OpenView Network Node Manager Multiple Remote Code Execution Vulnerabilities

HP OpenView Network Node Manager is susceptible to multiple remote code execution vulnerabilities because of a lack of proper input validation on user-supplied data. Successful exploitation will give an attacker the means to execute arbitrary code with the privileges of the application user, possibly leading to a complete system compromise. Updates which resolve this vulnerability are available. Contact the vendor for further details.

http://www.securityfocus.com/bid/50471

2) Cisco Small Business SRP500 Series Appliances Web Interface Remote Command Injection Vulnerability

Cisco Small Business SRP500 Series Appliances are susceptible to a remote command injection vulnerability. If successfully exploited, an attacker will be able to issue commands in context of the root user, which may lead to a complete compromise of the appliance. Updates which resolve these issues are available. Contact the vendor for additional information.

http://www.securityfocus.com/bid/50495

3) SAP Netweaver Multiple Security Vulnerabilities

SAP Netweaver is susceptible to multiple security vulnerabilities including Cross-Site Request Forgery, Cross-Site Scripting, HTML Injection, Path Traversal, and Authentication Bypass. If exploited, these vulnerabilities could lead to the theft of confidential information and authentication credentials, execution of malicious scripts in the browsers of unsuspecting users, abuse of the trust a web application places in a user, or unintended access. Updates which resolve these issues are available. Contact the vendor for more details.

http://www.securityfocus.com/bid/50680

4) Ruby on Rails Translate Helper Method Cross-Site Scripting Vulnerability

Ruby on Rails is susceptible to a Cross-Site Scripting vulnerability. Cross-Site Scripting can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Updates which resolve this issue are available. Contact the vendor for more information.

http://www.securityfocus.com/bid/50722

5) IBM Rational Asset Manager Cross-Site Scripting Vulnerability

IBM Rational Asset Manager is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage Cross-Site Scripting to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which resolve this issue are available. Contact the vendor for further details.

http://www.securityfocus.com/bid/50556

6) Oracle NoSQL 'log' Parameter Directory Traversal Vulnerability

Oracle NoSQL is susceptible to a Directory Traversal vulnerability. Successful exploitation would give an attacker the means to obtain arbitrary files in context of the web server process. Information gained through these methods would likely lead to more damaging attacks. As of this writing, a fix has not been released. Contact the vendor for additional information.

http://www.securityfocus.com/bid/50567

7) Apache Tomcat 'sort' and 'orderBy' Parameters Cross-Site Scripting Vulnerabilities

Apache Tomcat is susceptible to Cross-Site Scripting vulnerabilities. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if this vulnerability is successfully exploited. Updates which resolve these issues are available. Contact the vendor for more details.

http://www.securityfocus.com/bid/45015

8) GE Proficy Historian Web Administrator Cross-Site Scripting Vulnerability

The Historian Web Administrator component for Proficy Historian is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. As of this writing, a fix has not been released. Contact the vendor for additional information.

http://www.securityfocus.com/bid/50473

9) Barracuda Link Balancer Multiple Cross-Site Scripting Vulnerabilities

Barracuda Link Balancer is susceptible to multiple instances of Cross-Site Scripting, which can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Updates which resolve these issues are available. Contact the vendor for additional information.

http://www.securityfocus.com/bid/50554

10) Barracuda Message Archiver 'index.cgi' Multiple HTML-injection Vulnerabilities

Barracuda Message Archiver is susceptible to multiple HTML Injection vulnerabilities. HTML Injection is used to add content into a web server’s response, which can then be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. Updates which resolve these issues are available. Contact the vendor for further details.

http://www.securityfocus.com/bid/50535

Top 10 Web Application Vulnerabilities October 2011

markpainter — Wed, 02 Nov 2011 15:39:29 GMT

1) Novell XTier Framework HTTP Header Remote Integer Overflow Vulnerability

Novell XTier is susceptible to a remote Integer Overflow vulnerability due to a failure of the application to sanitize user supplied input. Successful exploitation will give an attacker the means to execute arbitrary code in context of the vulnerable application, with failed attempts likely leading to Denial of Service condition. As of this writing, no fix has been released. Contact the vendor for further instruction.

http://www.securityfocus.com/bid/50363

2) Oracle Database SQL Injection Vulnerability

Oracle Database is susceptible to a SQL Injection Vulnerability. Successful exploitation could give an attacker the means to access or modify backend database contents, or in some circumstances be utilized to take control of the server hosting the database. Updates which resolve this vulnerability are available. Contact the vendor for additional information.

http://www.securityfocus.com/bid/50203

3) IBM WebSphere Application Server Cross-Site Request Forgery Vulnerability

IBM WebSPhere Application Server is susceptible to a Cross-Site Request Forgery vulnerability. Cross-Site Request Forgery relies on a browser to retrieve and execute an attack. It includes a link or script in a page that connects to a site that the user may have recently used. The script then conducts seemingly authorized yet malicious actions on the user’s behalf. Updates which resolve this vulnerability are available. Contact the vendor for further details.

http://www.securityfocus.com/bid/43875

4) Multiple Cisco Products Directory Traversal Vulnerability

Multiple Cisco products are susceptible to a Directory Traversal vulnerability. Successful exploitation would give an attacker the means to write arbitrary files outside the current application directory. Updates which resolve these issues are available. Contact the vendor for additional details.

http://www.securityfocus.com/bid/50372

5) Novell Identity Manager 'apwaDetail' Multiple Cross-Site Scripting Vulnerabilities

Novell Identity Manager is susceptible to multiple instances of Cross-Site Scripting. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve these issues are available. Contact the vendor for more information.

http://www.securityfocus.com/bid/49935

6) Cisco TelePresence Video Communication Server 'User-Agent' HTTP Header HTML Injection Vulnerability

Cisco TelePresence Video Communication Server is susceptible to an HTML Injection vulnerability. HTML Injection is used to add content into a web server’s response, which can then be used to steal cookie-based authentication credentials, execute arbitrary code in context of the site, or simply alter how the site appears. Updates which resolve this vulnerability are available. Contact the vendor for additional details.

http://www.securityfocus.com/bid/50084

7) Microsoft Forefront Unified Access Gateway Multiple Vulnerabilities

Microsoft Forefront Unified Access Gateway is susceptible to several vulnerabilities including Cross-Site Scripting and HTTP Response Splitting. Cross-Site Scripting can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. HTTP Response Splitting can be used to influence how web content is served and interpreted. Updates which resolve these issues are available. Contact the vendor for additional information.

http://www.securityfocus.com/bid/49979
http://www.securityfocus.com/bid/49974

8) IBM WebSphere ILOG Rule Team Server Unspecified Cross-Site Scripting Vulnerability

IBM WebSphere ILOG Rule Team Server is susceptible to a Cross-Site Scripting vulnerability. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if this vulnerability is successfully exploited. Updates which resolve this vulnerability are available. Contact the vendor for more details.

http://www.securityfocus.com/bid/50368

9) Supermicro IPMI Web Interface Multiple Security Bypass Vulnerabilities

Supermicro is susceptible to multiple security bypass vulnerabilities that when exploited can give an attacker unintended application access and the ability to perform unauthorized actions. As of this writing a fix has not been released. Contact the vendor for further instruction.

http://www.securityfocus.com/bid/50097

10) Moodle Multiple Security Vulnerabilities

Moodle is susceptible to multiple remote vulnerabilities including SQL Injection, Cross-Site Request Forgery, Cross-Site Scripting, information disclosure, and other data manipulation vulnerabilities. If exploited, these vulnerabilities could lead to the theft of confidential information and authentication credentials, execution of malicious scripts in the browsers of unsuspecting users, or abuse of the trust a web application places in a user. Updates which resolve these vulnerabilities are available. Contact the vendor for additional information.

http://www.securityfocus.com/bid/50283

You don't know where that's been!

markpainter — Thu, 03 Nov 2011 21:48:12 GMT

Leaving work recently I saw something shiny in the bushes and quickly discovered that somebody had either lost or discarded a CD in there. My first thought, of course...wonder what's on it (iTunes ain't cheap). Ten years ago, I'm sure I would have found out. Luckily, I now work in the security industry, and know better (most of the time, anyway). Unfortunatly, a lot of people who should don't. I was reminded of the results from a penetration test the Department of Homeland Security conducted this past summer where they dropped thumb drives in the parking lots of various federal agencies. How many were plugged in? A not insubstantial 60%. When a corporate logo was included, that rate went up to a staggering 90%. Remember, these are federal employees who one would assume have somewhat regular cyber security training. If HP conducts it once a year, I have to think the government does something similar.

We've been talking a lot amongst ourselves about the RSA breach earlier this year and how it could have been prevented. There are a lot of products and services that HP offers that could have stopped the explotation in its tracks. Unfortunately, we don't yet offer one that can conquer curiousity. In this day and age, when one vulnerability is all it can take to comprimise a site, and when critical infrastructure and information suddenly are web-accessible when that was not the original design, stronger training mechanisms are needed to prevent social engineering attacks of this nature. Are we really that far off from seeing public service announcements about cyber security? Probably not. I think we're about to find out what the cyber equivalent of 'duck and cover' is.

Data Privacy: The United Kingdom Cares, for 500,000 Excellent Reasons

Adam_Hils — Wed, 26 Oct 2011 22:15:03 GMT

Who is watching the data privacy till?

For the United States, the answer is easy: No one, at least no one with any teeth.

Old Guy Rant

Speaking of toothless, I'll take me a few sentences to vent my wizened spleen.

There is no overarching US disclosure law, which is part of the problem. 46 states have laws. They vary widely in prescriptions directives. Massachusetts, whose data breach standards are high for the US, advises that organizations "shall provide notice, as soon as practicable and without unreasonable delay" when personal data is compromised. Louisiana, which appears much laxer, allows for delay if law enforcement is investigating: "If a law enforcement agency determines that the notification required under this Section would impede a criminal investigation, such notification may be delayed until such law enforcement agency determines that the notification will no longer compromise such investigation." Sigh.

Still, at from a data privacy perspective,it's much better to live in Louisiana than in Alabama, Kentucky, New Mexico, or South Dakota - which have no such regulation at all.

The bottom line is that, among developed nations, ONLY THE US AND TURKEY LACK NATIONAL DATA PRIVACY LAWS.

You kids get off my lawn.

Case Study: Me

Over the past several years, I have been informed by a bank, a university, and two credit card companies that my personal data had been endangered or exposed through organizational negligence of some sort. The disclosures - proffered grudgingly by US organizations - lagged the actual event by many months. In these disclosures, I received little contextual data to allow me to assess the seriousness of the exposure, so I was left with micro-monitoring my personal identity and financial accounts for significant periods.

Having been through several frustrating experiences with low value disclosures about potentially catastrophic breaches, I am hopelessly jaded about organizational practices around breach disclosures. I fully expected that - some day, soon - I would fall victim to a breach that compromised my identity, drained my checking account, or both.

On October 24th I received an email, the sort of email I've come to dread, entitled "Apologies from The Register". I subscribe to http://www.theregister.co.uk/security/ , as it's a good place to get cheekily-written security news. After determining it was not a phishing attempt, I read the communication, which follows:

--------------------------------------------------------

Hello,

This morning the name and email address you used to register for The Register was mistakenly sent to 3,521 individuals, also readers of The Register.

We've contacted them asking them to delete the email and respect your privacy.

We are of course terribly sorry for this error and have reported ourselves to the ICO. Our initial statement is here:

http://www.theregister.co.uk/2011/10/24/email_blunder/

You are free to edit or delete your account details here:

http://account.theregister.co.uk/register/

If you have any questions or would just like to rant at us please send emails to mailto:data@theregister.co.uk

Best Regards

The Register

--------------------------------------------------------------------------------------

After working through my "5 Stages of Grief" regarding the loss of my privacy, I realized that The Register should be lauded: I had never witnessed such a quick, appropriate response to a breach, self-instigated or not. This notification was unnaturally forthright, timely, and self-deprecating. The Register was voluntarily taking the fall.

There Must Be More to This Story....

So, of course, I was forced to investigate WHY they were being such good interweb citizens, even posting about it prominently in their own onsite newsfeed. What I found speaks to the efficacy of data privacy regulations with teeth.

Just 4 days before, on October 20th, the UK's Information Commissioner’s Office (ICO), had announced that is was going to enforce fines of up to 500,000 pounds against organizations that disclose inappropriate personal data. Apparently, the 2010 Lush incident, to which the breached UK cosmetics retailer responded brilliantly, provided a best. practices model for the ICO to regulate around.

The Register followed the Lush model closely in its breach disclosure. This is a wonderful thing. But its decision was inspired at least in part by the Co's strong regulatory presence, and its decision to attach consequences to shoddy security practices that expose private data.

Regulations with teeth encourage compliance. As a nation, the United States must grow a set.

How Much Responsibility Should Developers Have For Security?

danielmiessler — Thu, 20 Oct 2011 19:05:44 GMT

One debate that remains incandescent in the security world is the question of how much developers should be held accountable for security. Dinis Cruz did a presentation at OWASP recently on why security should be invisible to developers.

His basic argument is that security is for security people and building things is for people who build things. He says that security people should stop rubbing developers’ noses in their problems and make security transparent so developers don’t need to think about it.

This is mostly a horrible idea.

The easiest way to see this is to take the concept of “building” to any other domain. Quite simply, anyone who “builds” something needs to be responsible for its security. Whether it’s a skyscraper or an automobile, the excuse of “You didn’t give me secure stuff to build with so I made a death trap.” isn’t a strong defense.

It’s true that there are different types of people who “build” buildings. There are those who design them and then there are those who put drywall in and nail up plywood. Perhaps the argument is that people who do basic construction shouldn’t have to know how to build a structurally sound skyscraper.

I could grant that, but it doesn't mean that all builders are unaccountable. Someone on the team creating that structure has to confirm to the earthquake codes, the fire codes, etc. There is a person who's reputation is on the line if they erect a structure that has safety issues.

So, if we’re saying hammer and nails construction people are like entry-level developers who don’t need to know the ins and outs of security, then I ask you who the architect is. Remember that you can’t just send a bunch of hammer and nail guys in to build a skyscraper — you need an architect to lay out an approved plan.

That architect has his license and reputation at risk, and that’s the piece that we’re missing in software. Saying that "developers" don't need to understand security is just wrong. Coders need to be identified as one of two types: hammer and nails types, or design/architecture types. If they’re hammer and nails guys then they shouldn’t be allowed to code without the supervision and review of who is able to put her name on the line.

The one thing that’s completely out of the question is the notion of separating "building" from "security" altogether. It’s not true anywhere else, and it shouldn’t be true for software. You cannot claim to be a "good" developer if you create things you don't understand -- especially when those elements that are nebulous to you have security/safety implications.

If the earthquake certification engineers ask an architect how his building will withstand a 7.0 earthquake on the 19th floor, his answer better not be, "Yeah, I just deal with the stacking of the floors on top of each other -- not so much the making sure they don't fall down."

Security is now part of the process, and it will only become more so as time goes on. If Dinis's only argument was to say we as an industry should make it *easier* for developers to be good at understanding the security of their applications, then I agree wholeheartedly. But he didn't make that argument. Instead he essentially said that they shouldn't be troubled with the issue at all because they're doing the privileged work of building. He wants a clear distinction there, and that's where the mistake was made.

Building something is inexorably tied to securing it. This is true whether we're talking about castles, baby strollers, automobiles, or software applications. Developers don’t get a pass. Building things is hard precisely because there are so many considerations. If a developer doesn't understand how to build securely there's only one proper name for him: a junior developer. ::

Top 10 Web Application Vulnerabilities September 2011

markpainter — Mon, 03 Oct 2011 21:14:55 GMT

1) PHP 'is_a()' Function Remote File Include Vulnerability

PHP is susceptible to a Remote File Include vulnerability. An attacker can potentially leverage this vulnerability to compromise PHP applications that rely on the vulnerable function or the underlying system itself. Updates which resolve this vulnerability are available. Contact the vendor for additional information.

http://www.securityfocus.com/bid/49754

2) SAP WebAS Malicious SAP Shortcut Generation Remote Command Injection Vulnerability

SAP WebAS is susceptible to a Remote Command Injection vulnerability. An attacker can exploit this vulnerability to inject arbitrary commands into the application and control the generation of SAP shortcuts. As of this writing no vendor-supplied fixes have yet been made available. Contact the vendor for more details.

http://www.securityfocus.com/bid/49642

3) Novell GroupWise Internet Agent HTTP Interface Stack Buffer Overflow Vulnerability

Novell GroupWise Internet Agent is susceptible to a stack-based Buffer Overflow vulnerability due to a failure of the application to properly sanitize user-supplied data. An attacker can leverage this vulnerability to execute arbitrary code in the context of the application. Failed attempts will likely result in a Denial-of-Service condition. Updates which resolve this vulnerability are available. Contact the vendor for more details.

http://www.securityfocus.com/bid/49779

4) Adobe ColdFusion Multiple Cross-Site Scripting Vulnerabilities

Adobe ColdFusion is susceptible to multiple instances of Cross-Site Scripting. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. As of this writing no vendor-supplied fixes have yet been made available. Contact the vendor for more details.

http://www.securityfocus.com/bid/49787

5) IBM WebSphere Application Server Cross-Site Request Forgery Vulnerability

IBM WebSphere Application Server is susceptible to a Cross-Site Request Forgery vulnerability. Cross-Site Request Forgery relies on a browser to retrieve and execute an attack. It includes a link or script in a page that connects to a site that the user may have recently used. The script then conducts seemingly authorized yet malicious actions on the user’s behalf. Fixes for this issue are available. Contact the vendor for further details.

http://www.securityfocus.com/bid/49766

6) Microsoft SharePoint Cross-Site Scripting Vulnerability

Microsoft SharePoint is susceptible to a Cross-Site Scripting vulnerability. Cross-Site Scripting can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Updates which resolve this vulnerability are available. Contact the vendor for additional information.

http://www.securityfocus.com/bid/49004

7) SAP Crystal Report Server 2008 'pubDBLogon.jsp' Cross-Site Scripting Vulnerability

SAP Crystal Report Server is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage Cross-Site Scripting to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. Updates which resolve this vulnerability are available. Contact the vendor for more information.

http://www.securityfocus.com/bid/49656

8) IBM Lotus Domino 'PanelIcon' Parameter Cross-Site Scripting Vulnerability

IBM Lotus Domino is susceptible to a Cross-Site Scripting vulnerability. An attacker can leverage Cross-Site Scripting to execute script code in the browsers of unsuspecting users in context of the affected application, possibly leading to theft of authentication credentials and other attacks. As of this writing no vendor-supplied fixes had yet been made available. Contact the vendor for further details.

http://www.securityfocus.com/bid/49701

9) SAP Web Application Server WEBRFC ICF Service Cross-Site Scripting Vulnerability

SAP Web Application Server is susceptible to a Cross-Site Scripting vulnerability. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if this vulnerability is successfully exploited. Updates which resolve this vulnerability are available. Contact the vendor additional details.

http://www.securityfocus.com/bid/49646

10) Novell GroupWise 8 WebAccess 'Directory.Item' Parameters Cross-Site Scripting Vulnerabilities

Novell GroupWise 8 WebAccess is susceptible to a Cross-Site Scripting vulnerability. Cross-Site Scripting can give an attacker the means to execute arbitrary script code in the browsers of unsuspecting users and steal authentication credentials. Fixes that resolve this vulnerability are available. Contact the vendor for more information.

http://www.securityfocus.com/bid/49773

Healthcare organizations not ready for new security standards

markpainter — Wed, 21 Sep 2011 19:52:25 GMT

A new wave of federal requirements set by the HITECH provisions of the American Recovery and Reinvestment Act concerning the confidentiality of patient data and personal health information are getting ready to be implemented. Among provisions concerning new rules and fines for data breach disclosure, one new requirement is that healthcare organizations will now be mandated to conduct annual risks assessments. On top of that, the Office of Civil Rights (OCR) will soon begin auditing healthcare organizations to ensure compliance with the new HITECH rules.

So, are healthcare organizations getting ready for these changes? As of yet, not so much. A recent survey conducted by the HIMSS found that 53% weren't conducting annual risk assessments. 58% had no dedicated staff for security efforts. Half currently spend less than 3% of their organizational resources on security.

A lot of healthcare organizations can be forgiven in that until just the past year HIPAA rules were rarely enforced. Things have changed, though. The move towards Electronic Health Records has necessitated that security concerns be addressed (albeit after the fact and not in conjunction, but hey, one thing at a time). And as the new regulations actually have some teeth, the potential negative impact of doing no risk analysis whatsoever should help to spur organizations that deal with healthcare information into the fold. Now let's hope they know that.

Trust (but Verify) Your Software: Notes From the Fortify Software Security Assurance Summit

Adam_Hils — Fri, 16 Sep 2011 15:28:54 GMT

This past Monday, I was fortunate to participate in an HP Fortify-sponsored event, the SSA Summit, in Washington, DC. Near (but discrete from) the much larger HP Protect 2011, the SSA Summit brought 85 security executives together to hear compelling content from industry thought leaders, and to ask questions and offer insights that can only be gleaned from people who wrestle with application security challenges each day.

What is SSA?

"Software Security Assurance" is, simply, the systematic process for ensuring an organization’s software can be secure. A comprehensive approach to SSA addresses risks from in-house development, outsourced projects, third-party commercial apps, and open source projects. Done correctly, SSA will instill secure development practices for creating new code and address the weaknesses already present in deployed applications. It includes elements of training, technology, vendor management, compliance, and metrics to track progress.

This programmatic approach to securing applications pulls in static application security testing (SAST), dynamic application security testing, run-time testing, and other technologies. As organizations adopt this mindset, they are less concerned about which discrete security widgets to buy; rather, they buy solutions to help them reach their overarching "secure-the-software-continuously-throughout-the-lifecycle" goal.

Summit Highlights

Rob Roy, HP Fortify's Federal CTO, kicked off the talks with some frightening statistics:

In 2010, 85% of enterprises reported one or more cyberattacks
There is a $7.2M average cost associated with an enterprise data breach
On average, public companies that have suffered data breaches have lost 30% on their market caps; and
It costs 3 cents an hour to rent Amazon's EC2 cloud-based computing service, providing a dirt-cheap anonymized platform for wrongdoing. Talk about asymmetrical warfare!

After Rob made everyone in the room change their underwear, Dr.Eugene Schultz, CTO of Emagined Security, took the floor. His presentation -"The Proliferation of High Profile Cyberattacks: Is There an End in Sight?" - was even more uplifting than Rob's presentation. Dr. Schultz cited the 2010/2011 FBI Computer Crime survey, which found that 87% of respondents had experienced malicious code infection, more than doubling the next-most experienced category, "successful phishing" (39%). He then provided a very entertaining review of computer crime history, dating all the way back to the 1950s, ending with today's wave of high-profile attacks.

Heartland Payment Systems' John South, the CISO whom Heartland hired following their catastrophic 2009 breach, then discussed that breach and other matters in "Evolution of Application Security: From Breach to Mobile Applications". The blow-by-blow case study of the breach - and Heartland's response - was gripping stuff. Heartland today uses a range of security techniques across the application lifecycle, including static analysis, dynamic analysis, and web application firewalls (WAFs) to shield production web app vulnerabilities that dynamic scanners find while the underlying code is being remediated.

Finally, South described Heartland's approach to mobile application security, an emerging concern that requires the organization to morph some of their security techniques across the same basic SDLC.

Following an interesting talk about "Social Media and the Potential of Cyber Security Attacks", we broke into our Executive Roundtables. I moderated one on the topic of "Selling Application Security within the Commercial Enterprise" I was lucky to have executives at my table from organizations with varying levels of application security, so their experiences were different. Their common denominator was that they were actively addressing the problem of SSA, which cannot be said of all organizations.They had each at least started down the path of setting up and communicating a systematized software security program, and they shared insights and best practices about communicating with developers, increasing their security awareness and getting buy-in; monitoring web application health in production; and integrating and enforcing security processes across the application lifecycle.This session was for me a great way to hear the struggles and successes of appsec-engaged enterprises.

A Snapshot from HP Protect

After the Summit ended Monday evening, I spent the next two days speaking with security practitioners from HP Protect, a gathering of ~2,000 infosec practitioners. Many of the organizations these folks came from view application security - if they consider it at all - as a way to get compliance checkmarks in PCI or SCADA. They may want to address appsec, but they see the problem as a matter of acquiring tools, not of changing processes across the application lifecycle.

The final day of the show, a customer conversation crystallized the difference for me. An HP security customer approached me about WebInspect, because he believed his approach to application security was insufficient. As a member of a 2 person (him and the CISO) infosec group in a 700 employee electric utility company, he has time to manage his firewalls and IPS, tune his SIEM, and run his network vulnerability tests. In his spare time, he runs episodic web app vulnerability tests using open source tools. His developers don't believe him some of the time when he finds vulnerabilities, and at that point it's very difficult to even pinpoint the problem, much less remediate it. I showed this customer WebInspect Real-Time, which finds a vulnerability and points back eventually to the line of code. His eyes lit up, and I got his contact information to continue discussions with him; however, this customer, as he sees the more extensive set of vulnerabilities he finds using our unsurpassed dynamic scanning approach, will see that he must do more than just buy tools. I hope that in two years he will be able to present a case study at the 2013 Fortify SSA Summit describing his organization's SSA transformation.

Now hiring - HP Application Security Center QA Engineer

markpainter — Wed, 14 Sep 2011 18:39:05 GMT

Exciting security things are happening at HP. With the new alignment of enterprise security assets within HP (Application Security Center, Fortify, TippingPoint, Arcsight, etc.), there is huge potential for career opportunity and growth at HP for security professionals. Huge. One of the exciting results of this is that we are growing the HP Application Security Center (ASC) team in Atlanta. We now have a QA Engineer position available in our Atlanta office. We are looking for applicants with an aptitude for breaking software in a creative fashion and an eagerness to learn new technologies. The requirements for this position follow:

Job Requirments:

Thorough knowledge of the software life cycle, software quality assurance methods and testing, web servers and web programming languages.
Thorough understanding of system development methodologies, architectures, environments, technical/software specifications, technical manuals, programming languages and query tools.
A 4 year degree required.
A minimum of 5 years of experience is required.
Familiarity with web2.0, Web Services, and Rest.
Skilled at setting up testing environments.
Skilled at VMWare.
Skilled at using a defect tracking system such as Quality Center/Bugzilla.
Skilled at using proxies and a packet sniffer.
Skilled at using various Windows OS.

Required Abilities:

Able to execute a variety of rigorous tests within agreed timelines at various stages of project development.
Able to accurately classify and record the exact cause of each defect.
Able to work with limited supervision, and to take ownership of tasks and follow them through to completion.

Required Skills:

Strong attention to detail -- logical and structured when recording and documenting problems.
Skilled in developing good working relationships with colleagues.
Excellent written and verbal communication skills.
General knowledge of all aspects of the software engineering process.
Experience in a wide variety of testing efforts, techniques and tools.
People skills, especially diplomacy and advocacy skills.
Planning and management skills.
Experience in web development.
Experience in a variety of testing efforts.
Diagnostic and problem solving skills.
Broad knowledge of hardware and software and software installation and setup.

If you love testing products, are interested in security, and want to work with a dedicated, energetic, and fun team, this is your chance. For more information, contact Jags Kandasamy jags.kandasamy@hp.com.

The 2011 Mid-Year Top Cyber Security Risks Report released

markpainter — Mon, 12 Sep 2011 17:54:31 GMT

We are very pleased to announce the release of the 2011 Mid-Year Top Cyber Security Risks Report. This was a joint effort between HP DVLabs, Fortify on Demand, and the ASC Web Security Research Group. In addition, data from the Open Source Vulnerability Database (OVSB) was utilized to create a full picture of the current web application vulnerability landscape.

The primary objective of this edition of the Top Cyber Security Risks Report was to clearly articulate the risks and weaknesses inherent in web applications. It also highlights the rising number of attacks that leverage the vulnerabilities discussed throughout the paper. If you're a security professional, it's a must read.

To view the report, click here.

The HP Web Security Research Group - now hiring a Sr. Web Security Researcher

markpainter — Wed, 14 Sep 2011 18:09:03 GMT

Exciting security things are happening at HP. With the new critical mass of enterprise security assets within HP (Application Security Center, Fortify, TippingPoint, Arcsight, etc.), there is huge potential for career opportunity and growth at HP for security professionals. Huge. One of the exciting results of this new strategic focus on security is that we are committed to strengthening the HP Web Security Research Group (the group formerly known as SPI Labs) in Atlanta.

So, what are we looking for? Applicants with an aptitude for breaking stuff in a creative fashion and an eagerness to learn new technologies and implement ideas that will help advance existing web application security assessment methodologies. We want people that are passionate about security and willing to tackle challenging projects. We want people who are excited about investigating various web application frameworks and technologies for security defects and then producing solutions to detect those issues automatically. If you love security and want to work with a dedicated, energetic, and fun team, this is your chance.

Here's some more details about what this position will entail:

Responsibilities:

Product research :

Investigate and implement techniques for exploiting security vulnerabilities
Research new methods for automatic detection of vulnerabilities
Follow trends in software security and assess their significance

Thought Leadership:

Present research ideas/outcomes at security/developer conferences
Blog and engage with press when required

Vulnerability research:

Identify vulnerabilities in prominent enterprise web software and add product support to detect these issues.
Track advisories for known vulnerabilities in prominent enterprise applications and support automated detection.
Perform frequent pen-tests/security assessments – Identify challenges with the existing assessment technologies and devise solutions to address them.
Support the development, sales and customer support teams.

Qualifications:

BA/BS, MS or PhD in computer science, computer engineering or information security preferred but not required
Penetration Testing experience required
Familiarity with web application frameworks including ASP.NET, Java, PHP etc.
Familiarity with .NET development platform
Familiarity with web scanning technology (commercial or open-source)
Strong Communication Skills

If you're interested, contact Iftach Ragoler for more information.

3 Metrics For Determining Whether To Outsource Your Web Application Testing

danielmiessler — Mon, 29 Aug 2011 20:25:05 GMT

There's a seemingly timeless question within the halls of infosec departments worldwide: do we take on security testing ourselves, or do we find a vendor to do it for us?

The question is valid for a number of types of security testing, but there's a general trend worth noticing: as technologies come to be considered part of infrastructure rather than a series of one-off exceptions, the ability to bring testing in-house increases. As a case-in-point, network security used to be quite exotic and it was commonly outsourced, but these days it's often part of the woodwork, just like general networking infrastructure.

This is not so with application security, as it is not only a more recent problem but the problem itself is more slippery...

Top 10 Web Application Vulnerabilities 07/15/11 - 08/14/11

markpainter — Mon, 15 Aug 2011 21:06:15 GMT

1) Cisco SA 500 Series Appliances Web Management Interface Remote Command Injection/SQL Injection Vulnerabilities

Cisco SA 500 series security appliances are susceptible to a Remote Command Injection and a SQL Injection vulnerability in the web management interface. The Remote Command Injection vulnerability be exploited to run arbitrary commands with root-level privileges on the operating system, while SQL Injection can give an attacker full access to a backend database, and in certain circumstances can be utilized to take complete control of a system. Both of these vulnerabilities require authentication to be successfully exploited. Updates which resolve these issues are available. Contact the vendor for further details.

http://www.securityfocus.com/bid/48810
http://www.securityfocus.com/bid/48812

2) Oracle Secure Backup 'validate_login' Command Injection Remote Code Execution Vulnerability

Oracle Secure Backup is susceptible to a Remote Command Injection vulnerability. Successful exploitation will give an attacker the means to execute arbitrary code in context of the web server process, while failed attempts will likely result in a Denial-of-Service condition. Updates which resolve this vulnerability are available. Contact the vendor for more information.

http://www.securityfocus.com/bid/48752

3) SAP Netweaver Invoker Servlet Remote Code Execution Vulnerability

SAP Netweaver is susceptible to a Remote Code Execution vulnerability. An attacker can leverage this to execute arbitrary script code in context of the vulnerable application. Updates which resolve this issue are available. Contact the vendor for additional information.

http://www.securityfocus.com/bid/48925

4) Symantec Web Gateway Management GUI 'forget.php' SQL Injection Vulnerability

Symantec Web Gateway is susceptible to a SQL Injection vulnerability. Successful exploitation could give an attacker the means to access or modify backend database contents, or in some circumstances be utilized to take control of the server hosting the database. Updates which resolve this vulnerability are available. Contact the vendor for more details.

http://www.securityfocus.com/bid/48318

5) Oracle GlassFish Enterprise Server Multiple Input Validation Vulnerabilities

Oracle GlassFish Enterprise Server is susceptible to multiple vulnerabilities including Cross-Site Scripting and HTML Injection. Successful exploitation of these vulnerabilities could be used to alter how the site appears, steal authentication credentials, or execute malicious scripts in the browsers of unsuspecting users. Updates which resolve these vulnerabilities are available. Contact the vendor for further details.

http://www.securityfocus.com/bid/48797

6) SAP Netweaver Information Disclosure/Cross-Site Scripting Vulnerabilities

SAP Netweaver is susceptible to multiple vulnerabilities including Information Disclosure and Cross-Site Scripting. Successful exploitation would give an attacker unauthorized access to sensitive information, the means to execute code in the browser of an unsuspecting user, and the ability to steal cookie-based authentication credentials. Updates which resolve these vulnerabilities are available. Contact the vendor for more information.

http://www.securityfocus.com/bid/48718

7) HP Network Automation SQL Injection/Cross-Site Scripting Vulnerabilities

HP Network Automation is susceptible to SQL Injection and Cross-Site Scripting vulnerabilities. If exploited, these vulnerabilities could lead to compromise of the application, the theft of confidential information and authentication credentials, or execution of malicious scripts in the browsers of unsuspecting users. Updates which resolve these issues are available. Contact the vendor for additional information.

http://www.securityfocus.com/bid/48924
http://www.securityfocus.com/bid/48922

8) Symantec Endpoint Protection Cross- Site Request Forgery/Cross-Site Scripting Vulnerabilities

Symantec Endpoint Protection is susceptible to multiple vulnerabilities including Cross-Site Request Forgery and Cross-Site Scripting. If exploited, these vulnerabilities could lead to the theft of confidential information and authentication credentials, execution of malicious scripts in the browsers of unsuspecting users, or abuse of the trust a web application places in a user. Updates which resolve this vulnerability are available. Contact the vendor for further details.

http://www.securityfocus.com/bid/49101
http://www.securityfocus.com/bid/48231

9) Google Search Appliance Cross-Site Scripting Vulnerability

Google Search Appliance is susceptible to a Cross-Site Scripting vulnerability. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if this vulnerability is successfully exploited. Updates which resolve this vulnerability are available. Contact the vendor for more information.

http://www.securityfocus.com/bid/48957

10) HP Arcsight Connector Appliance Cross-Site Scripting Vulnerability

HP Arcsight Connector Appliance is susceptible to a Cross-Site Scripting vulnerability. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve these vulnerabilities are available. Contact the vendor for additional information.

http://www.securityfocus.com/bid/48694

Cost of dealing with cyber crime increased 56% in one year

markpainter — Fri, 05 Aug 2011 20:08:53 GMT

HP and the Ponemon Institute recently released the Annual Cost of Cyber Crime Study which showed that the upward trend in the costs of cybercrime continues unabated. In fact, the median cost of dealing with cybercrime rose 56% to $5.9 million in just one year. As if businesses didn't already have enough to contend with in this climate.

And don't expect these costs to go down anytime soon. We've already seen what data breaches can cost organizations. Dr. Ponemon said it best: "As the sophistication and frequency of cyber attacks increases, so too will the economic consequences."

In 2010, it took an organization an average of 14 days and $250,000 to recover from a cyber attack. In 2011, that's already increased to 18 days and $416,000. Factor in the costs associated with noncompliance with governmental regulations and notifying customers of data breaches, and you're staring at a whopping number.

If possible, an even more disconcerting statistic is that the surveyed organizations on average experienced 72 successful attacks per week. That was a 45% increase from 2010. And in this day and age, sometimes all it takes is one attack to compromise your system completely.

Organizations once again face a choice. Pay now by implementing Secure Development Lifecycle practices in your development organization, or pay later by getting hacked.

The costs of 5 high profile data breaches

markpainter — Thu, 28 Jul 2011 20:25:30 GMT

I was working on a side project, and I kept running across some interesting statistics regarding the costs associated with some high profile data breaches. These include notifying customers and penalties for non-compliance, among other things. For instance, the RSA costs include replacing SecurID tokens. None of these numbers are final at this point, and probably won't be for years.

RSA: $400,000,000
CitiGroup: $2,700,000
Sony: potentially $24,000,000,000 (yikes!)
Epsilon: up to $4,000,000,000
Heartland Payment Systems:$140,000,000

Here's some other interesting statistics that I've recently found:

Businesses: 90% suffered data breach during last year

Average Cost of 1 Customer Record Breach: $318 and climbing
Average Total Data Breach Costs: $7,200,000

So, what can organizations do to help lower these costs once the barn door has been left open and the horses are running free? One solution that seems non-intuitive to a lot of companies is simply to take the time to do the proper forensics and only notify the customers whose data was actually accessed. Ultimately, getting it right the first time is both cheaper and more effective.

Ain't No Party Like a Real-Time Party

Adam_Hils — Thu, 14 Jul 2011 21:10:42 GMT

Believe the Hype: WebInspect Real-Time Reinvents Dynamic Scanning

This is why I joined HP's software security team last fall - to help build and bring to market innovation that redefines web application security. With WebInspect Real-Time, HP has changed the game.

In the decade since the first automated dynamic scanning tools climbed out of the primordial ooze, users have decried their deficiencies.They're not smart enough, we heard...too many things are missed, too many pages go uncrawled. We recognized some time ago that It is no longer good enough just to fuzz an application without being aware of what's happening inside the software during runtime. To that end, we've inserted our own "eye on the inside,’’ runtime analysis provided by SecurityScope. It’s implemented as an agent inside an application server. WebInspect interacts with SecurityScope and uncovers every part of the application, leaving nothing untested. And as one vulnerability is all it often takes to compromise an application and possibly the underlying system, complete coverage is essential.

As Joseph Feiman, Gartner VP and application security expert says in the linked HP WebInspect Real-Time announcement., "Even when a vulnerability is detected, DAST (Dynamic Application Scanning Technology) cannot point to the specific line of source code where the vulnerability exists". WebInspect solves that problem with SecurityScope. It can point users toward the specific line-of-code vulnerabilities that WebInspect exploited, greatly reducing the time required to fix these issues.

The SecurityScope-WebInspect communication provides us insight our competitors have begun talking about, but have been unable to introduce. Feiman calls this interaction between static/runtime analysis and dynamic security testing "integrated application security testing (IAST)." Whatever the name, this is clearly the next generation of dynamic application vulnerability testing, allowing for wider market uptake earlier in the application lifecycle.

HP is a security company; with apologies to Coolio, there ain't no party like a real-time party.

Top Ten Web Application Vulnerabilities 6/6/2011 - 7/5/2011

markpainter — Wed, 06 Jul 2011 20:59:25 GMT

1) IBM WebSphere Application Server Administration Console Cross-Site Request Forgery Vulnerability

IBM WebSphere Application Server is susceptible to a Cross-Site Request Forgery vulnerability. Cross-Site Request Forgery relies on a browser to retrieve and execute an attack. It includes a link or script in a page that connects to a site that the user may have recently used. The script then conducts seemingly authorized yet malicious actions on the user’s behalf. As of this writing a fix has not been released. Contact the vendor for more details.

http://www.securityfocus.com/bid/48305

2) SAP Netweaver Multiple Vulnerabilities

SAP Netweaver is susceptible to multiple vulnerabilities including Cross-Site Scripting, authentication bypass, and information disclosure. An attacker can leverage these vulnerabilities to execute arbitrary code in the browsers of unsuspecting users and gain unauthorized access. Updates which resolve these vulnerabilities are available. Contact the vendor for additional information.

http://www.securityfocus.com/bid/48351

3) Adobe ColdFusion Cross-Site Request Forgery Vulnerability

Adobe ColdFusion is susceptible to a Cross-Site Request Forgery vulnerability. Cross-Site Request Forgery leverages the trust a web application places in a user to make authenticated requests to a target site for which the user is logged in, and can be used to abuse any type of functionality the target web application contains. Updates which resolve this vulnerability are available. Contact the vendor for more information.

http://www.securityfocus.com/bid/48271

4) Ruby on Rails Multiple Cross-Site Scripting Filter Security Bypass Weaknesses

Ruby on Rails is susceptible to multiple instances of Cross-Site Scripting. If successful, Cross-Site Scripting can be exploited to manipulate or steal cookies, create requests that can be mistaken for those of a valid user, compromise confidential information, or execute malicious code on end user systems. Updates which resolve these vulnerabilities are available. Contact the vendor for additional details.

http://www.securityfocus.com/bid/48169

5) IBM Rational Team Concert Multiple Cross-Site Scripting Vulnerabilities

IBM Rational Team Concert is susceptible to multiple Cross-Site Scripting vulnerabilities. Cross-Site Scripting can be exploited to execute code in the browser of an unsuspecting user and steal cookie-based authentication credentials. Updates which resolve these issues are available. Contact the vendor for further details.

http://www.securityfocus.com/bid/48356

6) Trend Micro Data Loss Prevention Directory Traversal Vulnerability

Trend Micro Data Loss Prevention is susceptible to a Directory Traversal vulnerability. Successful exploitation would give an attacker the means to gain possible access to sensitive information or even completely compromise the affected system. As of this writing a fix has not yet been released. Contact the vendor for more information.

http://www.securityfocus.com/bid/48225

7) IBM Web Application Firewall Security Bypass Vulnerability

IBM Web Application Firewall is susceptible to a security bypass vulnerability that will give an attacker the means to bypass restrictions and perform unauthorized actions. As of this writing a fix has not yet been released. Contact the vendor for more information.

http://www.securityfocus.com/bid/48370

8) HP Service Manager and Service Center Multiple Vulnerabilities

HP Service Manager and Service Center are susceptible to multiple vulnerabilities including HTML Injection and Cross-Site Scripting. Successful exploitation of these vulnerabilities could be used to alter how the site appears, steal authentication credentials, or execute malicious scripts in the browsers of unsuspecting users. Updates which resolve these vulnerabilities are available. Contact the vendor for additional details.

http://www.securityfocus.com/bid/48168

9) Fujitsu Accela BizSearch Cross-Site Scripting Vulnerability

Fujitsu Accela BizSearch is susceptible to Cross-Site Scripting. Arbitrary script code can be executed in context of the affected site in the browsers of unsuspecting users if this vulnerability is successfully exploited. An update which resolves this issue is available. Contact the vendor for more information.

http://www.securityfocus.com/bid/48497

10) IBM Tivoli Directory Server Log File Information Disclosure Vulnerability

IBM Tivoli Directory Server is susceptible to an information disclosure vulnerability. Attacks can leverage this vulnerability to gain access to information which will likely allow them to escalate their attack methodology. Updates which resolve this issue are available. Contact the vendor for additional information.

http://www.securityfocus.com/bid/48512

90% of organizations suffered at least one data breach during the past year

markpainter — Fri, 04 Nov 2011 14:37:30 GMT

A recent survey discovered that a full 90% of organizations suffered at least one data breach during the past year. Another 59% said that their networks had been compromised at least twice during that same time frame. 78% of the survey responders said that attacks are becoming harder to detect, more difficult to prevent, occurring at a greater frequency, and compounded by tight security budgets. Not surprisingly, confidence is low (at least for over a third of the respondents) that future breaches can be prevented.

So what's the problem?

While organizations might have a better understanding of the repercussions from a successful attack, they as yet aren't willing to pay what security actually costs. Almost all the respondents had 10 percent or less of their IT budgets devoted to security spending. In this day and age, devoting less than 10% of your IT budget to your security efforts is not exactly a recipe for success. One of the reasons security is expensive is because of the unbelievably high number of unique attack vectors that exist for each specific application, implementation, framework, and so on. When hackers only have to be right once, it's a daunting (and perhaps impossible) task to test (and secure) everything. It's not cheap, that's for sure. It's even harder when the wrong things are prioritized.

Another problem is the changed nature of hacking itself. One quote from Johnnie Konstantas of Juniper Networks (who sponsored this study) grabbed my attention: “We are seeing an uptick in hacking for profit and hacking for activism.” That's a succinct way of putting it. In a sense, organizations now face a battle on two virtual fronts. If you draw the unfortunate attention/wrath of a hacktivist group, it's likely every security hole you missed will be exploited. And they will be 'loud' attacks both intended to embarrass you and cause brand damage. Nobody is immune (not even security professionals). Criminal activity, on the other hand, is the opposite. These are 'quiet' attacks designed to go undetected. Criminals gain entrance, and then burrow in and steal as much information they can for as long as they can without being detected. Long story short, whether for profit or politics, current attacks only continue to grow in frequency and intensity, and are much more dangerous than those of even only five years ago.

So, there is a bit of a double edged sword in play. Security serves to mitigate risk, not prevent it entirely. Yet, organizations who shell out big bucks want more guarantees than not even when attacks and their damagees are only increasing. And of course, the real solution, for both cost and effectiveness, is to build security in from the beginning. It's cheaper, and it works better than anything else. Simply slapping new applications on top of insecure systems doesn't solve anything. Unfortunately, where we need to be doesn't seem to be where we're at.

Now Hiring: HP Application Security Center - Java Expert

markpainter — Mon, 27 Jun 2011 21:22:46 GMT

HP is in search of a full-time Software Engineer who is available to begin quickly. HP provides software and services to help enterprises protect against the loss of confidential data through the web application layer. The company's flagship product line, WebInspect, assesses the security of an organization's applications and web services, the most vulnerable yet least secure IT infrastructure component. Software developers, quality assurance professionals, corporate security auditors and security practitioners use WebInspect products throughout the application lifecycle to identify security vulnerabilities that would otherwise go undetected by traditional measures such as automated application testing tools, network firewalls, intrusion detection systems, or manual code reviews.

The unique candidate is someone who is interested in a career in Software Engineering to create commercial-grade, component-based, and enterprise applications. The ideal candidate must thrive on a fast-paced, hard-working development team and have a passion for keeping up to date on the latest technologies. For this position, three years of experience is preferred, but not required. However, the candidate must have a BS in Computer Science or the equivalent combination of education and experience and must be eager to build a career in computer programming.

Qualifications/Technical Requirements:

Bachelor's Degree in Computer Science or related field of study, or equivalent combination of education and experience.
Knowledge of Object-oriented programming.
Knowledge of Java, J2EE, Spring, Hibernate, Flex
Knowledge of relational databases and SQL (experience with SQL Server preferred).
Familiarity with client-side web technologies (Flex, JavaScript, AJAX, HTML, XML) strongly desired
Exposure to web application security is a big plus.
Experience with Web Services and XML knowledge is a plus
Strong communication skills, both written and verbal.
Independent, self-motivated worker requiring little supervision.
Strong problem solving skills.

Notes:

At least three years of experience
Preference for someone who understands web security. Doesn’t need to be researcher, but one who understands web vulnerabilities so they can optimize and improve scanning & detection.
Must be very capable coder
Enterprise level product development is a plus
Clear areas of ownership and in-depth understanding of past work.
Must be located in the Atlanta, GA area or willing to relocate to the Atlanta area

For more information, contact Iftach Ragoler, or click here to apply online.

Now Hiring: HP Application Security Center – C# Expert

markpainter — Mon, 27 Jun 2011 21:22:43 GMT

Qualifications/Technical Requirements:

Bachelor's Degree in Computer Science or related field of study, or equivalent combination of education and experience.
Knowledge of Microsoft environments (.Net, Windows 2003, Windows XP, IIS)
Knowledge of Object-oriented programming.
Knowledge of C#/.NET
Knowledge of relational databases and SQL (experience with SQL Server preferred).
Experience in developing multi-threaded applications is a big plus.
Familiarity with client-side web technologies (Flex, JavaScript, AJAX, HTML, XML) strongly desired
Working knowledge of web protocols and technologies is a big plus.
Exposure to web application security is a big plus.
Strong communication skills, both written and verbal.
Independent, self-motivated worker requiring little supervision.
Strong problem solving skills.

Notes:

Junior is OK, but would prefer 3 or so years of experience. If junior, must be a star from good school
Strong preference for someone who understands web security. Doesn’t need to be researcher, but one who understands web vulnerabilities so they can optimize and improve scanning & detection.
Must be very capable coder
Enterprise level product development is a plus
Clear areas of ownership and in-depth understanding of past work.
Must be located in the Atlanta, GA area or willing to relocate to the Atlanta area

For more information, contact Iftach Ragoler, or click here to apply online.