Web Application Security – Don’t Bolt it On – Build it In

How secure are your Web applications? Unless you conduct application vulnerability testing throughout the lifespan of your applications, there’s no way for you to know about your web application security. That’s not good news for your security or regulatory compliance efforts.

Companies make significant investments to develop high-performance Web applications so customers can do business whenever and wherever they choose. While convenient, this 24-7 access also invites criminal hackers who seek a potential windfall by exploiting those very same highly available corporate applications.

The only way to succeed against Web application attacks is to build secure and sustainable applications from the start. Yet, many businesses find they have more Web applications and vulnerabilities than security professionals to test and remedy them – especially when application vulnerability testing doesn’t occur until after an application has been sent to production. This leads to applications being very susceptible to attack and increases the unacceptable risk of applications failing regulatory audits. In fact, many forget that compliance mandates like Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley, and European Union privacy regulations, all require demonstrable, verifiable security, especially where most of today’s risk exists – at the Web application level.

In an attempt to mitigate these risks, companies use firewalls and intrusion detection/prevention technologies to try to protect both their networks and applications. But these web application security measures are not enough. Web applications introduce vulnerabilities, which can’t be blocked by firewalls, by allowing access to an organization’s systems and information. Perhaps that’s why experts estimate that a majority of security breaches today are targeted at Web applications.

One way to achieve sustainable web application security is to incorporate application vulnerability testing into each phase of an application’s lifecycle – from development to quality assurance to deployment – and continually during operation. Since all Web applications need to meet functional and performance standards to be of business value, it makes good sense to incorporate web application security and application vulnerability testing as part of existing function and performance testing. And unless you do this – test for security at every phase of each application’s lifecycle – your data probably is more vulnerable than you realize.

Neglecting Application Vulnerability Testing: Risks and Costs of Poor Security

Consider supermarket chain Hannaford Bros., which reportedly now is spending billions to bolster its IT and web application security – after attackers managed to steal up to 4.2 million credit and debit card numbers from its network. Or, the three hackers recently indicted for stealing thousands of credit card numbers by inserting packet sniffers on the corporate network of a major restaurant chain.

The potential costs of these and related Web application attacks add up quickly. When you consider the expense of the forensic analysis of compromised systems, increased call center activity from upset customers, legal fees and regulatory fines, data breach disclosure notices sent to affected customers, as well as other business and customer losses, it’s no surprise that news reports often detail incidents costing anywhere from $20 million to $4.5 billion. The research firm Forrester estimates that the cost of a security breach ranges from about $90 to $305 per compromised record.

Other costs that result from shoddy web application security include the inability to conduct business during denial-of-service attacks, crashed applications, reduced performance, and the potential loss of intellectual property to competitors.

What’s so surprising, aside from all of the security and regulatory risks we’ve described, is that it’s actually more cost effective to use application vulnerability testing to find and fix security-related software defects during development. Most experts agree that while it costs a few hundred dollars to catch such flaws during the requirements phase, it could cost well over $12,000 to fix that same flaw after the application has been sent to production.

There’s only one way to ensure that your applications are secure, compliant, and can be managed cost-effectively, and that’s to adapt a lifecycle approach to web application security.

The Web Application Security Lifecycle

Web applications need to start secure to stay secure. In other words, they should be built using secure coding practices, go through a series of QA and application vulnerability testing, and be monitored continually in production. This is known as the web application security lifecycle.

Remedying security problems during the development process via application vulnerability testing isn’t something that can be achieved immediately. It takes time to integrate security into the various stages of software development. But any organization that has undertaken other initiatives, such as implementing the Capability Maturity Model (CMM) or even undergoing a Six Sigma program, knows that the effort is worth it because systematized application vulnerability testing processes provide better results, more efficiency, and cost savings over time.

Fortunately, application assessment and security tools are available today that will help you to get there – without slowing project schedules. But, in order to strengthen development throughout the application life cycle, it’s essential to pick application vulnerability testing tools that aid developers, testers, security professionals, and application owners and that these toolsets integrate tightly with popular IDEs, such as Eclipse and Microsoft’s Visual Studio.NET for developers.

And just as standardization on development processes – such as RAD (rapid application development) and agile – brings development efficiencies, saves time, and improves quality, it’s clear that strengthening the software development life cycle, possessing the right security testing tools, and placing software security higher in the priority list are excellent and invaluable long-term business investments.

What types of web application security tools should you look for? Most companies are aware of network vulnerability scanners, such as Nessus, that evaluate the infrastructure for certain types of vulnerabilities. But fewer are aware of application vulnerability testing and assessment tools that are designed to analyze Web applications and Web services for flaws specific to them, such as invalid inputs and cross-site scripting vulnerabilities. These Web application security and vulnerability scanners are not only useful for custom-built applications but also to make sure that commercially acquired software is secure.

There are also web application security tools that help instill good security and quality control earlier and throughout development. For instance, these application vulnerability testing tools help developers find and fix application vulnerabilities automatically while they code their Web applications and Web services. There also are quality inspection applications that help QA professionals incorporate Web application security and application vulnerability testing into their existing management processes automatically.

It’s also important to know that technology alone won’t get the job done. You need management support, too. And no matter how large or small your development efforts, all stakeholders – business and application owners, security, regulatory compliance, audit, and quality assurance teams – should have a say from the beginning, and benchmarks must be set for quality application vulnerability testing.

While it may seem like a daunting undertaking at first, the web application security lifecycle approach actually saves money and effort by establishing and maintaining more secure applications. Remedying security defects after an application is released requires additional time and resources, adding unanticipated costs to finished projects. It also diverts attention from other projects, potentially delaying time to market of new products and services. Moreover, you’ll save on the excessive expense of having to fix flaws after the application has been deployed, and you’ve failed regulatory audits – and you’ll avoid the embarrassment of being the next security breach news headline.

Ways to Improve Your Skills Before CCIE Security Labs

What Cisco CCIE Exams Are Like?

Many networking experts know Cisco CCIE exams really well. Really, this certificate can change your life – both in terms of career and personal development. The exams are very hard, but the thing is worth the efforts. Today Cisco offers you to get a degree in 8 tracks like Service Provider, Security, Voice and Wireless. Any of the tracks represents a whole big area of networking.

One of the best things about CCIE is that no additional certificates or degrees are needed to apply for it. You just have to go through two trials. The first one is the written test. It will include 90-110 questions examining your theoretical knowledge in the area you choose. The passing score here varies depending on the number of questions, but usually it’s about 70% of correct answers.

Passing the theoretical test may inspire you a lot. Moreover, it gives a right to proceed to the second part of CCIE examination – the lab. Its duration is 8 long hours spent on solving different network building and troubleshooting tasks. The pass score for lab exams is 80%, which is pretty much. However, if you get the needed percentage, you’ll automatically join the exclusive group of world’s best networking experts.

Key Facts on Cisco CCIE Security Tracks

One of the most popular exam tracks is ccie security. It covers many topics related with building and supporting networks powered by Cisco equipment. To get the Security degree means to get a lot of opportunities for career promotion.

Probably the main reason why this certificate is valued so high is that the exam standards are extremely high. There’s even a joke: “To see a CCIE expert in the flesh is a good sign”. Really, the number of degree holders is extremely small, and that’s another reason why the value of those guys is very high. To make the image brighter we’ll say that the average salary of program graduates is $120,000.

CCIE Tips – How to Pass Security Lab Successfully

If you have decided to take Security exams, you’ll have to go through the long process of perfecting your network expert’s skills. Most examinees claim that the lab is really hard compared to the written tests. To make the preparations process easier, we’ve put together several useful tips on how to end it all holding a real Cisco certificate.

1. Read more books. Though the Security lab is more about practice, it’s always good to start with theory. Read relevant books and check several case studies. Also, we advise you to read a couple of lab-focused publications offering sample tasks with solutions. Cisco exams are known really well, so finding printed materials and media on topic won’t take much time.

2. Practice makes perfect. Really, many CCIE wannabes fail because they are too self-assured. If you learn something important in theory, try it in practice. The more you practice the more chances you have to complete the lab successfully. Even if you know something in theory, the tense lab ambient can press on you, and you won’t be able to solve some easy cases.

3. Rent a Cisco virtual rack. Today many companies offer virtual rack rental services. Those racks copy real Cisco equipment you’ll operate at the labs. It’s really good to order several sessions when you are ready to try yourself in practice. Moreover, this is good in terms of psychology, as the hardware configuration won’t surprise you at the actual exam any more.

4. Final preparations at mockup labs. After you’ve learned a lot and tried it all in practice, try to pass a mockup lab. You might also like the fact that there are several levels of mockup labs. This means, after several pre-lab tests your skills can even overcome CCIE requirements.

5. Get Ready for the unexpected. Finally, there are many issues not related to networking at all. For instance, many examinees make a special emphasis on timing. Though 8 hours are quite a lot, you should use the time wisely, and resolve all tasks as soon as possible. So, try to model some extra factors, and various failures won’t stress you at the exam.

To sum it all up, we’ve outlined some 5 steps that can help you get the lucky certificate. However, the list is always open. Be creative, google, and you’ll find even more methods for improving your practical skills before sitting the lab. In any case, we hope our tips will help you progress. Thanks for you attention and good luck!

Kaspersky Internet Security

lb2The 2011 version of Kaspersky internet security offers total protection for your PC and laptop. The latest version allows you to remain safe online and protects you and the users of your computer no matter whether you are shopping, browsing, banking, working or playing.

Kaspersky Internet Security will protect your computer or laptop from being attacked by hackers and protects your files, music and photos. It uses real time protection against emerging security threats which could attack your machine.

The web can be an unsafe place and sometimes the sites you visit come under attack from cyber criminals who inject malicious code with the intent of spreading viruses to the site’s visitors. Kaspersky protects you from this kind of attack with a feature called New Safe Surf. When you enable this feature you will never come in contact with these harmful sites. Updates from Kaspersky Lab will help the software to automatically block your access to any offensive sites giving you peace of mind when surfing the web.

Identity theft is a real problem these days. Your computer holds a lot of information about you and is very desirable to hackers as they can perform illegal acts and steal your money. Kaspersky helps to protect your personal identity while you are shopping and doing your online banking. Protecting your digital identity is also important while you are social networking online. This can be a particularly useful feature for protecting children, who are often unaware of the dangers which may be lurking on the web.

If you are parent you will worry about what your children are doing online. The Internet is excellent for homework and entertainment but there are also dangers. Kaspersky Internet Security 2011 has advanced parental controls will give you the power to block access to certain sites, limit the time spent online and log applications so you know what your child is doing online. By setting the parental controls you can allow your children to freely explore the web and to be safe.

The spread of computer viruses is often done through programs which are downloaded onto your machine, or sent to you via email. Kaspersky’s security software fully monitors all programs which are executed and grants them rights to your systems resources based on automatic risk assessment through real time monitoring using the Kaspersky Lab security database.

Kaspersky keeps an eye on your system constantly and will analyse all events which take place to check for suspicious behaviour. If a threat is detected you will be notified and requested to undo any malicious program activity.

The internet is about sharing; thousands of videos, songs and programs are shared every minute all around the world and sometimes we cannot be certain they are safe. Kaspersky Internet Security 2011 has a feature which allows you to run suspicious programs in a safe mode. The safe mode is an isolated environment where the program can be run which cannot damage your computer.

New viruses are created every day in the hope the cybercriminals can fool your antivirus software and break through the real time protection. If this happens when using Kaspersky there is the ability to use the installation CD as a reboot disk if you ever need to restore your computer. If you have downloaded your copy of Kaspersky Internet Security you can create your own reboot disc.

College Campus Workplace Security – Classroom and Lab Security

lb1Many times multimedia equipment that has been left unattended after the end of a class is reported stolen to campus security. The number one stolen multimedia item is laptops used for PowerPoint presentations. When arranging for the return of campus equipment, try to have the room locked until an employee from the multimedia department arrives.

Every semester, students have reported that their backpacks or items within the backpacks have been stolen even if the owner was close by. Students, many times, have to transfer from room to room during laboratory hours and often leave their backpacks behind. Even in a roomful of professors and classmates, a thief can avoid being caught while removing your purse, wallet, Ipod, or whatever. Always keep a close watch over your personal property and bring only essential items to class.

Students studying in the library also need to maintain a watchful eye over their backpacks, books, wallets, etc. Every semester thefts are reported by students who leave to go to the bathroom, return a book, make copies, etc. Take your stuff with you or have a friend that you trust watch over your stuff while you are away for a brief moment.

College textbooks are goldmines for thieves who see them lying around unattended on a library study table. If you are studying in the library, use the buddy system. Have your buddy watch over your stuff when you are away as you will do the same thing if he needs to run errands such as potty breaks, making copies, paying a book fine, etc.