Category Archives: NT OBJECTives

RSA 2012: NT Objectives hosts ISE® VIP wine tasting reception & book signing with Kevin Mitnick

  Posted by
on
Reply

We are looking forward to RSA 2012 in San Francisco. We are excited to be hosting a VIP reception and a book signing with Kevin Mitnick with T.E.N and their ISE® Alumni VIP Hosts.

Each guest will receive a complimentary copy of Ghost in the Wires, enjoy tasting some rare wines from Europe’s finest boutique wineries with me and have the opportunity to  connect with leading CISOs.

The wines have been selected by NTO’s own wine geek, me, and come from San Francisco’s hottest wine bar, Terroir. These are “natural” wines (WARNING: That links to a video that unnecessarily overuses and abuses of the f-bomb, but it is the best explanation of natural wines and its entertaining as well.) made with minimal intervention to preserve their unique flavor profiles and as such, are favored by industry insiders and wine geeks.

As the ISE® VIP Programs have been oversubscribed in previous years due to limited availability and strong interest, we recommend that you register early.

Hope to see you there!

More information on the NTObjective’s ISE VIP Reception and Book Signing

NT OBJECTives Positioned in the “Visionaries” Quadrant of the Magic Quadrant for Dynamic Application Security Testing (DAST)

  Posted by
on
Reply

Recent Gartner research positioned NT OBJECTives in the Visionaries quadrant for Dynamic Application Security Testing(DAST).(i) Gartner’s report was published in December and is now available to all Gartner subscribers.

Analysts Neil MacDonald and Joseph Feiman state in the report that “Dynamic Application Security Testing (DAST) solutions should be considered mandatory to test all Web-enabled enterprise applications, as well as packaged and cloud-based application providers.” They go on to note that “the market is maturing, with a large number of established providers of products and services.”(ii)

We consider our positioning in the “Visionaries” quadrant by Gartner confirmation of our mission and ability to deliver technologies and services that solve today’s toughest application security software challenges. Web application security represents one of the greatest security challenges facing the information technology industry today. We will continue to innovate and deliver the products today’s security teams need. In the months ahead, we are excited to launch a number of products that will further enhance our market position and help our customers.

In the report, MacDonald and Feiman also note that “as organizations have improved the security of their network, desktop and server infrastructures, there has been a shift to application-level attacks as a way to gain access to the sensitive and valuable information they handle, or to use a breach of an application to gain access to the system underneath. In addition, there has been a shift in attacker focus from mass “noisy” attacks to financially motivated, targeted attacks. As a result of these trends, application security has become a top investment area for information security organizations, whether improving the security of applications developed in-house, procured from third parties or consumed as a service from cloud providers.”(iii)
Gartner clients may view a copy of the Magic Quadrant for Dynamic Application Security Testing (DAST) report via Neil MacDonald’s blog, “The Market for Dynamic Application Security Testing is Anything but Static”.

Disclaimer:
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About NT Objectives
NT OBJECTives, Inc brings together an innovative collection of experts in information security to provide a comprehensive suite of technologies and services to solve today’s toughest application security challenges. NT OBJECTives solutions are well known as the most comprehensive and accurate Web Application security solutions available. NT OBJECTives is privately held with headquarters in Irvine, CA.

(i) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011
(ii) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011
(iii) Gartner “Magic Quadrant for Dynamic Application Security Testing” by Neil MacDonald and Joseph Feiman, December 27,2011

Tales from the Web Scanning Front: Why is This Scan Taking So Long?

  Posted by
on
Reply

As CEO, I’m constantly emphasizing the importance of customer support and trying to attend several support calls each week to stay on top of our support quality and what customers are asking.

Surprisingly, application scan times are one of the most common issues raised by customers.  Occasionally, scans will take days or even weeks.

At this point, I would say that in almost all cases, there is an issue that lies within the application’s environment as opposed to a something within the software.

First some background on web application security scanners. Web scanners first crawl websites, enumerate attack points and then create custom attacks based on the site.  So, for example, if I have a small site with 200 attackable inputs and each one can be attacked 200 ways, with each attack requiring 2 requests, I have 200*200*2 or 80,000 requests to assess that site.

Now NTOSpider can be configured to use up to 64 simultaneous requests so depending on the response time from the server, you can run though requests very quickly.  Assuming, for example, 10 requests a second, that’s 600 per minute, 36,000 per hour and you can get through that site in 2.22 hours.

The problem is that quite often the target site is not able to handle 10 or even 1 request per second.  Some reasons can include:

  • Still in development - The site is in development and has limited processing power and/or memory.
  • Suboptimal optimization - The site is not built to handle a high level of traffic and this has not yet shown up in QA.  We were on the phone with a customer last month who allowed us to look at the server logs and we saw that one process involved in one of our requests was chewing up 100% of the CPU for 5 seconds.  Another application was re-adding every item to the database each time the shopping cart was updated (as opposed to just the changes) and our 5,000 item cart was severely stressing the database.
  • Middleware  Not to bash any particular vendor (Coldfusion) but some middleware is quite slow.

So let’s look at our 80,000 request example from above and assume that our site can only handle 1 request per second.  Our 2.2 hour scan time balloons to 22 hours.  For our 5 second response in bullet 2, we get to 4.6 days for our little site.  The good news is that NTOSpider can be configured to slow itself down so as to not DOS the site (this is our Auto-Throttle feature).  The bad news is that it will take some time.

So what’s a poor tester to do?

  • Beefier hardware  If you are budgeting for a web scanner,  consider spending a couple of extra thousand dollars on some decent hardware to test your apps. (Note – a modern laptop with optimal ram for the OS you are running – 32-bit OS = 4 Gigs of ram / 64-Bit OS = 8 Gigs of ram – will solve 90% of all performance issues.)
  • Scheduling  In some cases, you can schedule scans so that even if they are longer, you can still get things done in time.
  • Segmenting  In some cases, if you know that only a portion of the site has changed, you can target the scan to test only that subset and dramatically reduce scan time.
  • Code Augmentation  Not to put too fine a point on it, but if a single request is taking 5 seconds to process, a hacker can DOS your site by hand.  You might want the developers to look at adjusting the code.

 

Assessing risk before you buy software: Is company risk inversely related to company size

  Posted by
on
Reply
Software purchase risk assessment
I recently stumbled across this article which got me thinking about the risks organizations take when they buy technology products and what kind of risk assessment process is conducted. Our company sells application security assessment software to people who are experts at managing IT security risk, so I’m curious to hear what others think.
11 Companies On the Edge in 2012
#8 on the list.
Hewlett-Packard. Stock decline: 38 percent.
“HP is on its third CEO in less than two years, with the turnover reflecting strategic confusion that has impaired earnings, enraged shareholders and raised concerns that HP is too unwieldy to be run effectively. With operations in many business and consumer markets, HP has numerous competitors that have been nibbling market share, leading to disappointing results likely to continue into 2012. Some analysts worry that a heavy focus on acquisitions in recent years has left holes in HP’s new-product pipeline. New CEO Meg Whitman may enjoy a bit of a honeymoon, but she’ll need to prove herself by the second half of 2012.”

First, I’d like to clear the air in the spirit of full disclosure.

  1. I have nothing against technology conglomerates and believe that they fill an essential role in our economy.
  2. At various times in my own company’s history, HP and its subsidiaries have been customers, partners and vendors.
  3. I have personally purchased and used many HP products over the years and am a fan of Meg Whitman for her work at eBay.
  4. My company directly competes with HP in the application security space as I mentioned.
  5. I am co-CEO of a privately held company that has been profitable for over six years.  Now on with the post.

The common wisdom seems to be that when purchasing technology products there is little or no risk with large firms and significant risk with smaller firms.

In my experience, this isn’t really true.

Let’s look at the varying types of risk in purchasing technology (this is not specific to application security technology)

  • Technology and Support Team Risk – With any technology, particularly complex technologies, there is a huge risk that the team responsible for creating that technology will change for the worse, and later versions of the product will get worse over time after the customer has spent a significant amount of money for a perpetual license where the product is supposed to last 3-5 years or more.  Customers expect to be able to get ongoing support for the product that they have purchased. This is particularly important with more complex products.
In building application security software, for example, building and maintaining a team of top developers is crucial because the industry-specific knowledge requried to create a leading product requires years of coding and domain expertise as is the case in many industries.
  • Bankruptcy Risk – Obviously, if a company goes bankrupt and is dissolved, there will be no further upgrades or support.
  • Strategic Risk – Companies can decide that the product purchased by the customer does not meet its overall strategy and end-of-life the product. Upgrades will be limited and support will likely wither during the last years of the product’s life.
  • Layoff Risk -When companies effect layoffs, products can suffer, which impacts both the technology on an ongoing basis as well as the support.
  • Risk of Sale – When private companies sell to larger companies, there is always the risk that technology and support teams will leave. This can even be the case if their shares vest over time if there are significant cultural or power conflicts or if the incentives are insufficient.

Let’s look at these risk factors by firm size, profitability and recency of technology acquisition:

Unprofitable Private Companies

  • Technology and Support Team Risk – Generally this risk is less because the core team has a significant equity stake in the company and will stay so long as the company has funding.
  • Bankruptcy Risk – This is the most significant risk. Pre-profitable companies rely on investors to fund losses and investors can be fickle. If funding dries up, the company can be forced to sell (in which case the team may leave) or liquidate.
  • Strategic Risk – Smaller companies typically have few products so this is a minimal risk.
  • Layoff Risk –  Smaller companies can cut back on growth if they cannot raise funds, harming development and support.
  • Risk of Sale – This is a significant risk.

Profitable Private Companies

  • Technology and Support Team Risk – Generally low because of equity incentives. Support can suffer with rapid growth.
  • Bankruptcy Risk – Less than for unprofitable private companies for obvious reasons.
  • Strategic Risk – Again, generally a minimal risk.
  • Layoff Risk – This can be a risk, although less than for unprofitable private companies.
  • Risk of Sale – This is the most significant risk. Most private companies do not go public and there is always the risk that the founders of a profitable private company of sufficient size will cash in and move to an island, harming the technical and support capabilities behind the product.

Large Company with Newly Acquired Technology

  • Technology and Support Team Risk – This is a significant risk.  Technology companies suffer significant attrition in their technical staffs post-acquisition.  Some founders leave because it is more lucrative to be an entrepreneur and some leave because they no longer have to work. For others, the work at large companies is not challenging enough and the entrepreneur in them feels stifled.
  • Bankruptcy Risk – Generally minimal.
  • Strategic Risk -This is a small risk short term.  See below for the longer term risks.
  • Layoff Risk – This is potentially a significant risk depending on the financial profile of the company.
  • Risk of Sale – Less of a risk than for smaller companies.

Large Company with Longstanding Technology

  • Technology and Support Team Risk – After a while, the creators of the technology leave and are replaced by a team that wants to work at a larger company.  This can be good or bad but is generally somewhat stable.
  • Bankruptcy Risk – Generally minimal.
  • Strategic Risk – This is a huge risk.  Large companies go through strategic review constantly.  Many products exist as parcels in larger groups controlled by a single executive or executive team.  When turnover occurs, priorities change and centi-million dollar acquisitions can be written off like week old bananas.  We were partnered with a company that wrote off a $150 million acquisition after 3 years because it didn’t make strategic sense.
  • Layoff Risk – When large companies are in financial trouble, they tend to cut across the Board which can significantly impact product quality and support both from a pure numbers as well as a morale standpoint.
  • Risk of Sale – Less of a risk than for smaller companies.

To sum up, the issue of company risk in technology purchases is far more complex than is ordinarily assumed.  The saying, “no one ever got fired for buying IBM” may not necessarily be true.  Conversely, I’m not arguing that buying from small companies because they are small makes any more sense than buying from large companies because they are large. IT professionals must evaluate the risks of the companies with whom they are doing business on a case by case basis.

“Perfect-Fit” Virtual Patching for WAF/IPS with NTODefend

  Posted by
on
Reply

Recently NT OBJECTives announced NTODefend and its ability to generate “perfect-fit” custom patches for WAF & IPS. This marketing term “perfect-fit” has been the cause of some questions. People are wondering how our “perfect-fit” rules differ from what other DAST vendors are doing, as well as solutions like ThreadFix (aka Vulnerability Manager) from Denim Group. Those who know me, know that I don’t like when vendors overstate their capabilities, and I make sure NTO does not do this either, so I think this term deserves some explanation.

The other solutions that are able to generate virtual patches work from pre-defined templates based on categories of attacks, such as SQL Injection, Cross-Site Scripting, OS Injection. So if a given input is vulnerable to SQL Injection, then the SQL Injection template will be used to generate a virtual patch for the vulnerable input.

NT Objectives’ approach differs in that NTODefend is able to generate rules based on deeper intelligence about the input. This extra information comes from two key features in NTOSpider:

  1. NTOSpider‘s input population technology works to determine the intended legitimate data. For example, the input population technology will determine if the input only accepts numbers, or is intended for a phone number, email address, street address, etc.
  2. NTOSpider’s attacking engines detail specifics about the attacks that worked, with information such as usable characters and escape sequences.

By leveraging details about the attacks, NTODefend can generate more specific and aggressive rules to function as counter-measures to the attacks that the input was vulnerable to. This can include making rules that only allow numerical values, or maybe blocking single quotes but not double quotes, or allowing parenthesis but not dashes. NTODefend can also decide which canned filters to include to make sure the input is well protected.

The key point is that each rule is generated custom to the input AND custom to the ways it can be exploited.

After installing the virtual patches into the solution, NTODefend provides the ability to re-test all the inputs with both attack traffic and good traffic (modifiable database included with each data type NTOSpider can detect). It then generates a report to show which of the good request and bad requests got blocked. This provides users with the ability to quickly understand how effective the virtual patches were and hopefully alerts them to any virtual patches that could be blocking good traffic.

We do not claim that these generated virtual patches will always be 100% accurate to all situations, but we are confident that they will be useful and that we provide solutions for users to quickly deal with discovered vulnerabilities.

I welcome discussion and questions on this topic.

Introducing Jim Broome

  Posted by
on
Reply

We caught a big one!
I’m proud to announce that my buddy Jim Broome has joined the NT OBJECTives team and will be a contributing to the blog and podcast.

Jim Broome, CISSP
Jim, an information security veteran with two decades of experience in the security industry, is joining as VP of Security Services. Jim’s role is to provide world-class SaaS based web security services through NTOSpider On-Demand while also providing leadership to the NTOLabs research and consulting teams.

Experience
Practice Manager – Accuvant LABS – Accuvant, Inc.
As one of Accuvant’s most seasoned security assessors, Mr. Broome performed innumerable consultative engagements including enterprise security strategy planning, risk assessments, threat analysis, application assessments, network assessments, penetration testing, and wireless security assessments for a large number of Fortune 500 clients. These clients came from a variety of markets, including manufacturers, telecommunications (cellular and traditional), public utilities, healthcare, financial services, and state governments.

Principal Security Consultant – ISS X-Force

Prior to joining Accuvant, Jim was a principal security consultant for Internet Security Systems (ISS) and a member of the X-Force penetration testing team. At ISS, he was responsible for providing technical leadership to the Western region consulting practice while performing his day-to-day duties of network assessments and penetration testing.

Directory of Network and Security Operations – Cavion.com

Before X-Force, he was the director of network operations for Cavion.com, a managed service provider exclusively for credit unions. At Cavion.com, Jim was responsible for managing the network operations staff and security organization while maintaining 99.999% uptime.

HouSecCon 2011 and B-Sides ATL Review

  Posted by
on
1

Last week was a travel week.
On Wednesday I was in Austin for some meetings, then headed to Houston for the second annual HouSecCon on Thursday. I have to say that I was blown away at how much bigger and better it was than last year (with the exception of the badges ;) . My buddy Michael Farnum puts this thing on with a team of friends and they are doing an amazing job growing the event, and it was fun having a booth for NT OBJECTives and everyone loved our new shirts we were giving out.

This year MJ Keith (now with The Denim Group) was the keynote speaker. I was first introduced to MJ Keith at last years HouSecCon where he blew me away with his Bump hack in his “Pwn on the go!” talk, and I was glad to see him being given the headlining spot this year.

The talks were all great, with highlights from Michael Gough, Josh Sokol and Zac Hinkel. I did my “Not your granddad’s webapp” talk which seemed to go over well, if you missed it, you can watch the video.

On Friday I was in Atlanta for B-Sides Atlanta, which was a fun event. I didnt have as much time to sit in the talks, but the lockpick room was great and I tried to hang in the podcasters room, even though it was a little hard to engage in useful conversation. I wonder what it was like for those listening to the live stream.I didnt do a talk at this one, so I just spent my time meeting people and eating great southern food.

Comparing the two would be hard, because they were entirely different, so I will just say that I have a fun week at both cons and look forward to both next year.

Not your Granddad’s WebApp Video

  Posted by
on
Reply

This talk was previously mentioned, but now a recorded video is available.

Not Your Granddads Web App

The next generation of applications have started to rule the web, and they look very different from their ancestors.
In the “good ol’ days” web apps had their problems, but it was easier to understand and great resources (tools/practices/trainings) were quickly made available to help.
The new age of applications sit on top of HTTP and HTML with technologies such as AJAX, Flash, Silverlight etc, and their developers are often as naive as teenage girls wearing midriffs and mini-skirts. Today’s applications dazzle with their rich user interface, ability to push logic to the client and retrieve information asynchronously. But these younger applications inherently have the same security problems, which are now obfuscated by fancy looking interfaces and the resources (tools/practices/trainings) available to help are even more limited.

NT OBJECTives Response to the Larry Suto Report

  Posted by
on
Reply

Introduction

When the latest report from Larry Suto was set to come out and we had seen previews of the results, our first reaction was “Wow, we did great, but why did we miss those 9 vulns?!” followed by “Whoa – why did the other scanners miss so many vulnerabiities?” and then “Oh no, here we go again. Another round of getting unfairly blasted by the other vendors and their users“.

We certainly were not disappointed by the response from the other vendors and their users, but overall things seem to be different than they were in 2007 when Larry did his first report. In the latest report it is clear that Larry had learned at least two things from his first experience.

The first was that he needed better supporting data which he has certainly done this time by including the full breakdown of the vulns by site and vendor. The second was that he would need to provide for “Trained” scans, because most of the vendors made quite a protest that it was impossible to get proper results without it. My personal feeling on the matter is that “Point-and-shoot” is the most likely way that users will run scans and for that reason it is the responsibility of the scanner to do as much as possible on its own.

Because Larry did the “Trained” scanning this time around, this only leaves the other vendors with the ability to claim that he didn’t do a good enough job with the training. I think Jeremiah Grossman states it the best in his post “Scanner vendors should take into consideration that Larry Suto is certainly more sophisticated than the average user. So if he couldn’t figure out how to run your tool ‘properly’ take that as constructive feedback.

A friend of mine also had a great line when he said that “from these results it appears that a monkey could get better results from NTOSpider, than an experienced security consultant can with the other scanners“. Continue reading “NT OBJECTives Response to the Larry Suto Report” »

Detecting Persistent Cross-Site Scripting

  Posted by
on
Reply

This white paper explains how these attacks work and will discuss the difference between Non-Persistent Cross-Site Scripting and the far more dangerous Persistent Cross-Site Scripting variations. We will highlight the challenge presented to Web Application Security Scanners and how only NTOSpider solves them.

Read paper from NT OBJECTives