ColdFusion User Group

Defend Against Application-Level Attacks

Date/Time: 11/22/2004 6:00 PM - 8:00 PM Location: Lee Park Office Building, Main Conference Room Address: 1100 East Hector Street, Conshohocken

Speaker:Troy Sorzano, Director, Netforcement.

Among the most prevalent and perilous hacks plaguing corporate IT today are those targeting security flaws in particular applications. These application-level attacks range from Cross-Site Scripting and SQL Injection, to new intrusion and disruption techniques that exploit as-yet-undiscovered vulnerabilities in your programs. Unfortunately, they are often too clever for your firewalls to block, and too dangerous to ignore. Learn about the use of dedicated Web application firewalls, intrusion-protection systems, vulnerability scanners, and other countermeasures to defend your business against application attacks.

Links from the presentation

NetworkFusions list of Web Application Firewalls link
Foundstone HACME bank link
Open Web Application Security Project (OWASP)link

Tools mentioned in the presentation

Testing Tools
- WebInspect Enterprise Edition 4.0 www.spidynamics.com
- WebInspect for Developers - .NET and WebSphere versions www.spidynamics.com
- KaVaDo ScanDo www.kavado.com/products/scando.asp
- Sanctum Inc AppScan Audit www.sanctuminc.com
Application Firewalls
- KaVaDo InterDo www.kavado.com/products/interdo.asp
- MagniFire TrafficShield www.magnifire.com/f5products/products/trafficshield
- Anctum Inc AppShield www.sanctuminc.com/solutions/appshield/
- NetContinuum Application Security Gateway www.NetContinuum.com
Deep Packet Inspection Firewalls
- Fortinet www.fortinet.com
- NetScreen www.juniper.net
- CheckPoint www.checkpoint.com

Application Layer Crime

SQL Injection

FTC investigates PetCo.com security hole Pet supply retailer PetCo disclosed this week that its security and privacy practices are the target of an investigation by the U.S. Federal Trade Commission (FTC), which is following up on an e-commerce security gaffe that left as many as 500,000 credit card numbers accessible from the Web earlier this year. More>>

Cross Site Scripting

Schwab financial site vulnerable to attack Charles Schwab's Web site is vulnerable to a well-known attack that could allow a hacker to gain access to sensitive account information, the financial services company acknowledged Wednesday. More>>

URL Modification

Victoria's Secret to pay up for poor panty privacy An apparent flaw in the lingerie giant's ordering system made it possible to tweak customer ID numbers and see what kind of knickers people were buying - a clear violation of Victoria's Secret online privacy policy. The New York AG and Victoria's Secret reached a settlement on Monday, according to the New York Times. More>>

Online Bank Suffers Security Glitch - A breakdown in the security system at online bank Cahoot left customers able to access other people's account details. More>>

Buffer Overflow

"Code Red" Worm Exploiting Buffer Overflow In IIS Indexing Service DLL On July 12, 2001, a worm began to exploit the aforementioned buffer-overflow vulnerability in Microsoft's IIS webservers. Upon infecting a machine, the worm checks to see if the date (as kept by the system clock) is between the first and the nineteenth of the month. If so, the worm generates a random list of IP addresses and probes each machine on the list in an attempt to infect as many computers as possible. More>>