Application Security Moves to the Cloud

Just like applications themselves are moving to the cloud, so too are the application security vendors. New versions of on-demand tools from Fortify Software and Cenzic debuted this week. The new solution enables enterprises to find vulnerable code before it is put into production as well as by way of penetration testing methods.

The new application security solutions come as new threats like Clickjacking emerge while old ones like buffer overflows continue to be found in application code.

“Application security is a rapidly growing area,” Barmak Meftah, senior vice president of products & technologies at Fortify Software told InternetNews.com. “Companies have to deal with securing applications from multiple sources, transmitting a range of data and they have to deal with an increasingly sophisticated and well funded hacking community, as well as a growing number of compliance mandates. As a result, application security is becoming a major area that requires comprehensive programs and effective management.”

Fortify this week released Fortify 360 version 2, its first major update to its application vulnerability analysis suite that first debuted last year.

Meftah explained that the solution uses a new addition to Fortify’s offering called Fortify Vendor Security Management, which is an on-demand service for assessing and remediating third-party software. It uses the static source and binary analysis capabilities of Fortify 360 along with the Collaboration Module capability of Fortify 360.

According to Meftah, Fortify can host the security vulnerabilities found in third-party software and using the Collaboration module, independent software vendors or systems integrators could analyze, triage and fix these vulnerabilities to improve the security of their software.

The core Fortify 360 product has been improved in version 2 with a new user interface developed with Adobe’s Flex technology. On the analysis side, Fortify has added the ability to understand Java annotations, providing enhanced analysis capabilities. Meftah also noted that Fortify’s runtime analysis has been extended to now detect SQL anomalies over and beyond just simple SQL Injection type vulnerabilities.

Penetration Testing

Fortify’s technology does source code analysis to identify issues in application code. Security vendor Cenzic on the hand does dynamic run-time testing (penetration testing) which is a valuable technique that should be used to complement static analysis. Meftah noted he views Cenzic’s technology as being complementary to Fortify’s, which is something that Mandeep Khera, who heads up Cenzic’s marketing and strategy efforts, agreed with.

This week, Cenzic released ClickToSecure version 5.9, which is Cenzic’s software as a service-based (SaaS) security testing tool. Among the new features in the release is the ability to detect clickjacking vulnerabilities in applications.

Clickjacking is a new type of attack where an attacker hides a frame that enables an attacker to transparently collect user clicks, which could force the user to do all sort of things from adjusting user settings to stealing user credentials.

With ClickToSecure 5.9, Khera explained that Cenzic looks at the application to see if it has any Cross Site Request Forgery vulnerabilities and if it is uses any sort of frame-busting behavior. Microsoft with Internet Explorer 8 has implemented a feature to limit clickjacking by use of the X-FRAME-OPTIONS declaration. What that basically does is it restricts content on a site from being places in a frame.

“ClickJacking is getting more buzz lately and some of our customers had requested us to add that to the library,” Khera told InternetNews.com. “We are not necessarily seeing more attacks through clickJacking compared to other attacks.”

In addition to clickjacking detection, Cenzic has added support for identifying two other issues that to date have not received the same hype as clickjacking. One is something called frame-injection.

“Frame-injection is different from clickjacking in that for the former (clickjacking), the hacker is replacing a section of the Web page with his own frame and not trying to hide anything,” Khera said. “Whereas for the latter (clickjacking) case, they are trying to hide their frame so you think you are clicking on something else.”

The other new interesting attack that Cenzic now detects is something called JavaScript hijacking which is similar to CSRF, but more applicable for Ajax-specific Web sites.

“In case of JavaScript hijacking, if an application is vulnerable, an attacker can force a logged-in victim’s browser to send pre-authenticated AJAX request to a vulnerable web application, potentially forcing the victim’s browser to perform a hostile action,” Khera said.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web