Archive for June, 2010

Technical Guide on Combatting Emerging Web Threats

Posted in IT Security on June 25, 2010 by cobra

More and more enterprises are moving operations and functionality online, making Web-based applications a tempting threat vector for sophisticated attackers. Hackers are almost entirely targeting enterprises with attacks perpetrated over the Web.

View the e-book for information on combatting the latest Web threats.



Skipfish – Google web security scanner released

Posted in IT Security on June 8, 2010 by cobra

Google has released an open source scanner that allows web application developers to test their applications for security holes. The application, called Skipfish (available for download), offers a similar functionality to that of tools such as Nmap or Nessus, but it’s said to be much faster. Using fully automated heuristics, it detects code that is vulnerable to cross-site scripting attacks (XSS), SQL and XML injection attacks and many other attack types. The tool’s comprehensive post-processing of the individual test results is designed to help with the interpretation of the final report.
Skipfish is a pure C implementation and according to Google, can easily process 2,000 HTTP requests per second – provided the tested server can handle such a high load. In individual tests across local networks, 7,000+ requests per second have reportedly been sent with a modest CPU load and memory footprint.
Google achieves this high performance via a serial I/O model which processes responses asynchronously and is said to offer much better scalability than traditional multi-threaded approaches with synchronous request processing. Optimised HTTP connection handling via features such as HTTP 1.1 range requests, keep-alive connections and data compression are designed to keep Skipfish’s network bandwidth requirements in check.
Google says that it uses the scanner to test its own web applications for insecure interfaces. However, Google also points out that the security checks are far from comprehensive and do not satisfy most of the Web Application Security Consortium’s (WASC) Web Application Security Scanner Evaluation Criteria criteria.
The latest release of Skipfish is version 1.10 Beta and a list of know issues is available on the project’s Google Code page. Skipfish is released under version 2 of the Apache License.

Please protect yourself wisely 😀