New Users
Home
Analysts & Consultants
People
Channel Advantage
Products
Technology
Case Studies
Awards
About This Guide
Application Security Assessment As a Managed Service: Leveraging Managed Service to Automate Security Assessment
Current Scenario: Information security managers and directors are faced with the enormous responsibility of keeping web applications secure from the menace of hackers. The ever-growing number of security threats and an increasing body of governmental regulations are overwhelming information security teams. With web applications constantly evolving, finding vulnerabilities is a challenging, costly and time-consuming undertaking. The solution is automated security assessment products that leverage stateful processing to comprehensively examine web applications and reveal vulnerabilities in hours rather than weeks. These powerful solutions help information security teams quickly identify problems, regularly assess web application security strength and ensure regulatory compliance.
Tomorrow's Technology Today: Web applications are growing in size and complexity. Despite their sophistication, web applications are designed to respond to simple HTTP requests. These requests can put applications and confidential information at risk as hackers can shield attacks with legal requests that pass through secured networks and intrusion detection systems. Once a malicious request interacts with a web application, it can attack via vulnerabilities within the web application. Some of the top web application vulnerabilities include: • Unvalidated input • Broken access control • Broken authentication and session management • Cross-site scripting (XSS) flaws • Buffer overflows • Injection flaws • Improper error handling • Insecure storage • Insecure configuration management Web application security attacks are getting are very prevalent. Recently, information relating to 40 million credit cards was stolen from CardSystems. A few weeks ago, hackers invaded databases from information industry giant LexisNexis and gained access to more than 30,000 accounts containing personal data such as names, addresses, Social Security numbers and driver's license information. Additionally, payroll-service provider PayMaxx recently exposed the Social Security numbers and related data of more than 25,000 people for tax year 2004. Nearly every day there is a new attack against a web application. A managed service that leverages a powerful technology platform underneath allows companies to get a jump start in securing their web applications without the overhead of installing software or hardware or implementation issues. This is particularly effective for companies, large and small with minimal in-house expertise. The managed service allows companies to have the vendor run the assessment for them, get the results in a professional report, and start working on remediation through their development process. This approach is much more cost effective than manual security assessment and penetration testing and companies can eventually transfer it back in-house once they have built the expertise. What to Look For in a Managed Service for Application Security Assessments? Testing web application security is critical and so is choosing the right service. Be sure to look for the following: • Strong software technology: Ensure that the vendor uses a strong technology underneath to deliver the service. If the underlying technology is not effective, the results in the report will carry the pitfalls of the technology like false positives, poor analysis, etc. The technology should also be able to navigate through complex applications involving various technologies. • Vendor’s security expertise: Vendor should have expertise in application security so they can guide you through the critical issues • Flexibility: The service should allow you flexible options to use the service. For example, you should be able to have a one-time audit or regularly scheduled assessments based on your needs • Transition: The vendor should allow you to bring the solution back in-house with all your data at any point you are ready. • Constantly updated capabilities: Hackers work hard to find new vulnerabilities. Seek a vendor that constantly researches new vulnerabilities, frequently updates its policy library and regularly distributes updates to customers. • In-house research lab: The ideal vendor should have a state-of-the-art security vulnerability research lab that monitors and researches security vulnerabilities on a daily basis After establishing itself as the leader in the automated application security assessment software market with its breakthrough product Cenzic Hailstorm, Cenzic recently launched ClickToSecure, its managed service for application security assessments. Cenzic ClickToSecure uses Hailstorm as the platform for the managed service. Customers still get all the benefits of the powerful features of the software product but without requiring any software installation or implementation in-house. Furthermore, customers are able to leverage expertise of Cenzic’s professional consultants. A final report is delivered to the customers with all the vulnerability information along with remediation tips, and other valuable information.
Tomorrow's Technology Today: Web applications are growing in size and complexity. Despite their sophistication, web applications are designed to respond to simple HTTP requests. These requests can put applications and confidential information at risk as hackers can shield attacks with legal requests that pass through secured networks and intrusion detection systems. Once a malicious request interacts with a web application, it can attack via vulnerabilities within the web application. Some of the top web application vulnerabilities include:
• Unvalidated input • Broken access control • Broken authentication and session management • Cross-site scripting (XSS) flaws • Buffer overflows • Injection flaws • Improper error handling • Insecure storage • Insecure configuration management Web application security attacks are getting are very prevalent. Recently, information relating to 40 million credit cards was stolen from CardSystems. A few weeks ago, hackers invaded databases from information industry giant LexisNexis and gained access to more than 30,000 accounts containing personal data such as names, addresses, Social Security numbers and driver's license information. Additionally, payroll-service provider PayMaxx recently exposed the Social Security numbers and related data of more than 25,000 people for tax year 2004. Nearly every day there is a new attack against a web application. A managed service that leverages a powerful technology platform underneath allows companies to get a jump start in securing their web applications without the overhead of installing software or hardware or implementation issues. This is particularly effective for companies, large and small with minimal in-house expertise. The managed service allows companies to have the vendor run the assessment for them, get the results in a professional report, and start working on remediation through their development process. This approach is much more cost effective than manual security assessment and penetration testing and companies can eventually transfer it back in-house once they have built the expertise. What to Look For in a Managed Service for Application Security Assessments? Testing web application security is critical and so is choosing the right service. Be sure to look for the following: • Strong software technology: Ensure that the vendor uses a strong technology underneath to deliver the service. If the underlying technology is not effective, the results in the report will carry the pitfalls of the technology like false positives, poor analysis, etc. The technology should also be able to navigate through complex applications involving various technologies. • Vendor’s security expertise: Vendor should have expertise in application security so they can guide you through the critical issues • Flexibility: The service should allow you flexible options to use the service. For example, you should be able to have a one-time audit or regularly scheduled assessments based on your needs • Transition: The vendor should allow you to bring the solution back in-house with all your data at any point you are ready. • Constantly updated capabilities: Hackers work hard to find new vulnerabilities. Seek a vendor that constantly researches new vulnerabilities, frequently updates its policy library and regularly distributes updates to customers. • In-house research lab: The ideal vendor should have a state-of-the-art security vulnerability research lab that monitors and researches security vulnerabilities on a daily basis
After establishing itself as the leader in the automated application security assessment software market with its breakthrough product Cenzic Hailstorm, Cenzic recently launched ClickToSecure, its managed service for application security assessments. Cenzic ClickToSecure uses Hailstorm as the platform for the managed service. Customers still get all the benefits of the powerful features of the software product but without requiring any software installation or implementation in-house. Furthermore, customers are able to leverage expertise of Cenzic’s professional consultants. A final report is delivered to the customers with all the vulnerability information along with remediation tips, and other valuable information.
Conclusion: ClicktoSecure leverages the powerful Cenzic Hailstorm product; With a strong technology platform and professional security experts, Cenzic is able to deliver highly accurate, thorough, fast and extremely cost-effective results with no software or hardware installation. Since the service uses Cenzic’s software product, customers can transition the program back in- house at any point with the full software solution.
Cenzic 455 El Camino Real Suite 100 Santa Clara, CA 95050 USA Tel: +1 866-4-CENZIC (866-423-6942)
Download the actual white paper From Info Security Products Guide site: CLICK HERE
Recommend this to others:
HOME |
ADVERTISE WITH US |
TELL US ABOUT YOURSELF |
UPDATED PRIVACY POLICY |
Copyright © 2006 Silicon Valley Communications - All rights reserved.
