Unfortunately, I’m seeing more and more people deploy WAFs to cover up – rather than cure –   their web application warts and blemishes. Some people are deploying WAFs in lieu of performing security scans and penetration tests. It’s set it and forget it. This is especially common with the compliance as a checkbox mode of operation that’s present in many businesses. WAFs are today like firewalls were 10-15 years ago. They promise the world but bad guys far and wide know that they’ll likely find a way around their controls.

WAFs aren’t going to protect you against application logic flaws. In many situations, they won’t protect against manual manipulation of input validation and session management-related flaws. What about weak passwords in your Web application? Yet another flaw that may go unguarded.

You’ve got to consider web applications that may be accessed by insiders that don’t fall into the scope of WAF protection. There’s also the issue of web applications that are accessed only via SSL/TLS. Is a WAF going to protect against attacks coming through these channels? Maybe, maybe not. It depends on your own unique situation.

A Web Application Firewall is an additional device that must be managed on your network. Are you prepared to take that on? Oh, and like routers, firewalls and related network controls, WAFs can create yet another single point of failure on your network that you’ve got to be prepared to handle. Neither of these may be a big deal but they’re certainly things you need to consider in your security monitoring, patch management, change management and incident response processes and procedures.

Whether you work for a large enterprise or a small business, just know that Web Application Firewalls are not the end-all be-all solution for your web security problems. They’re good at what they do. But like deadbolts in our homes and airbags in our automobiles, they can’t be relied on completely. To do so is short-sighted and a recipe for getting bitten when you least expect it. Layer your web controls instead. Fix Web Application Flaws at the source where you can, perform periodic scans and manual tests and, once you have your ducks in a row, let a WAF be the icing on the cake.

Stay up to date with the latest security news, by liking the Acunetix Facebook Page. Also follow us on Twitter and read the Acunetix Blog.

We are pleased to announce an updated build of Acunetix Web Vulnerability Scanner 8 (WVS 8). Build number 20120508 includes a number of new scheduler features, a new security check for PHP-CGI, as well as a series of bug fixes.

New Security Check

• Acunetix WVS 8 checks if your PHP-CGI installation is vulnerable to remote code execution. For further information regarding this type of vulnerability, read the PHP-CGI advisory article here.

New Features

• Ability to edit scheduled scans. No need for scheduling new scans every time you wish to change a scan setting.
• Amend multiple scheduled scans simultaneously by selecting them and applying the required global changes.
• Save all your scanned results and access them at any time from your scheduler’s scan history. You can also delete your scanned results from the web-based scheduler.
• A new setting has been introduced to configure the maximum number of pages during a crawl.

Improvements

• Improved Cross-Site Scripting (XSS) tests.
• The web-based scheduler has been improved to run better in the latest version of Internet Explorer.
• Enhanced SQL injection tests to reduce the false positives reporting even more.

Bug Fixes

• The scheduled scans can be correctly imported after upgrading to a more recent build of Acunetix WVS 8.
• The false positives settings node can now support changes from multiple instances at the same time.
• Web Service Definition Language (WSDL) Scanner URL edit box is now able to save history.

How to Upgrade to Build 20120508

On starting Acunetix WVS 8, a pop-up window will automatically notify you that a more recent build is available for download. Navigate to the General > Program Updates node in the Tools explorer, click on Download and Install the new build.

View the complete Acunetix WVS change log here.

Contact the Acunetix Team on support@acunetix.com for any technical queries or sales@acunetix.com for any sales information.

To keep up to date with the latest website security news, ‘Like’ the Acunetix Facebook Page, follow us on Twitter and read the Acunetix Blog.

This guide will show you how to use multiple instances of Acunetix Web Vulnerability Scanner to scan a large website, in order to save time and increase the number of websites that can be scanned daily.

First, you have to configure different Scan Settings Templates with different Directory and File Filter rules. For example, if your website has ‘sub1’ and ‘sub2’ as subdirectories, and each directory is to be scanned separately, exclude ‘sub1’ from the first instances’ Scan Settings Template and exclude ‘sub2’ in the other instances’ Scan Settings Template.

To exclude subdirectories, navigate to the Configuration > Scan Settings > Crawling Options > Directory and File Filters node. You can read more about excluding directories in the section ‘Directory and File Filters’ in the Acunetix WVS user manual. To learn more about how to create new Scan Settings Templates or to modify existing ones, refer to the section ‘Creating, modifying, or deleting Scan Settings templates’.

Once the different Scan Settings Templates have been created, launch a scan, selecting the Scan Settings Template which excludes one of the subdirectories. Once the first scan is up and running, launch another instance of Acunetix WVS and from the scan wizard select the other Scan Settings Template you previously created.

In the example above, we scanned a website with 2 subdirectories. If you have more subdirectories, you can create several Scan Settings Templates each containing different directory and file filters.

To run multiple web security scans simultaneously, you need to use either the Acunetix WVS Graphical User Interface (GUI) and/or the Acunetix Scheduler Web Interface. For example, you can have six multiple instances of the Acunetix WVS GUI running and another four instances scanning websites from the Scheduler.

Scanning Multiple Websites using the Acunetix WVS GUI

To scan multiple websites using the Acunetix WVS GUI, simply launch the GUI several times from the Program Group in Windows. For instance, if you need to scan four websites at the same time, then four instances of the Acunetix WVS GUI should be opened and a web security scan from each instance should be launched. Each scan is independent of the other, therefore you can use different scanning profiles and pre-defined Scan Settings Templates.

Scanning Multiple Websites using the Acunetix Scheduler

Just like with the Acunetix GUI, the Acunetix Scheduler makes it possible to specify a different Scanning Profile and Scan Settings Template for each scan by configuring the scans one by one. If you specify a list of URLs in the same schedule, the same Scanning Profile and Scan Settings Templates will be used for every scan.

If you schedule more than 10 scans, Acunetix WVS will automatically use all the available instances to complete the scans as efficiently as possible. Once a scan is finished and an instance becomes available, the scheduler will automatically use that free instance to scan the next URL.

Using the Acunetix Scheduler to scan multiple websites is the preferred option since the Scheduler guarantees a complete and successful scan against the predefined list of URLs without the need for any manual intervention.

Acunetix Web Vulnerability Scanner Wins the WindowSecurity.com Readers’ Choice Award for the Fifth Successive Year

Leading Windows Security resource site, WindowSecurity.com, has announced that Acunetix Web Vulnerability Scanner has been selected as the winner of the 2012 WindowSecurity.com Readers’ Choice Awards, in the Web Application Security category.

The WindowSecurity.com Readers’ Choice Awards give visitors to the site, who are experts and specialists in their field, the opportunity to vote for the products they view as the very best in their respective category. The award serves as a mark of excellence, providing the ultimate recognition from peers within the industry.

“We are very proud to have won the WindowSecurity.com Readers’ Choice Award five years in a row! Being consistently voted as the number one web application security scanner confirms our ability to deliver innovative technology and re-emphasizes our commitment to continue improving Acunetix Web Vulnerability Scanner,” said Robert Abela, Acunetix Technical Manager.

Trial Acunetix Web Vulnerability Scanner 8 here to see why WindowSecurity.com readers are repeatedly declaring it as the number one web application security scanner.

I recently came across a XSS flaw on a client’s in-house web server that happened to be associated with their front-end marketing site. I validated the XSS finding and documented it the final report. It was as clear as day that this web vulnerability was exploitable on the page. The HTTP responses showed it. I could even manually enter the script code directly into a URL string and watch the pop-up window in the browser.

I got push-back on the finding because supposedly the vulnerable page did not exist on the server in question. But it did! At least it appeared that way from the outside. I loaded up a proxy to confirm which site the specific page request was going to. Sure enough, the call was to the back-end web server where I thought it was. There no reference whatsoever to the marketing site.

I told my client that unless there is some type of weird proxying or load balancing going on behind the scenes, I didn’t know what else to check for from my perspective without being on the actual server itself to see what’s taking place. This whole situation was perplexing to all of us.

Guess what the problem was? It was an error in the external DNS setup for the web servers. When trying to access the server page where I found XSS, their external DNS could not resolve the subdomain name. The request was passed on to a catch-all entry that ended up re-directing to the front-end marketing site. The fact that no URL rewriting was taking place is the variable that created the confusion. From the outside you couldn’t tell the difference between requests sent to the back-end server and ones that were redirected to the marketing site.

One quick DNS tweak and suddenly HTTP 404s were being returned when trying to access the suspected vulnerable page. Problem solved. Good – and interesting – lesson that not all web vulnerabilities are what they appear to be. When in doubt or when you get pushback, dig in deeper. The answer’s in there somewhere.

Join the Acunetix community and stay up to date with the latest web security news by liking the Acunetix Facebook Page. Also, follow us on Twitter and read the Acunetix Blog.

In many situations, all it takes is exploiting one missing web server patch, one SQL injection flaw or cracking a set of web passwords to show that problems exist in the respective areas. You may not need to exploit every flaw on every system to demonstrate what’s weak and what can happen. For certain projects, exploiting every single flaw on every single page could take too long and cost too much.

You have to ask yourself what’s really needed? What’s the ultimate goal of your security assessment? Is it to find some basic issues running basic scans or is it to completely vet a website or application and show exactly what can happen when things go awry? There is a ton of value in web exploitation…if it meshes with the overall project goals.

Vulnerability “exploitation” seems like a bad word that’s going to leak data, crash servers and cause business continuity problems but it really doesn’t have to. I’ve found that exploitation of web flaws is actually less risky than running the actual scans themselves. Interestingly, I’ve never had a problem running web exploits but automated scans have certainly created issues. Then again, unless the specific requirements call for it, I only run exploits that are not designed to create denial of service conditions. Your situation may be different.

In the end, if a web exploit (or even a scan) knocks over an application or its associated server(s), that may be a good indicator that you need to look even deeper. In the interest of minimizing problems, some people will just pretend the server or application doesn’t exist and leave it be. Sure, the problems are minimized but the security flaws are still there! Two wrongs don’t make a right.

For some people – especially IT auditors or compliance managers – exploitation of web flaws may be new territory. That’s fine. I just encourage people to really think things through when scoping web security assessments projects. Know all the facts and the possible outcomes and then dig in as deeply as possible. That’s the only way you’re going to find the flaws that matter and get people on your side to do something about them.

Read the Acunetix Blog, follow us on Twitter and “like” the Acunetix Facebook Page to keep up to date with the latest web security news.

I’ve found over the years that the number one skill to help those of us in IT succeed more than anything else is being able to communicate effectively with others. When studies show that communicating effectively with others accounts for the majority of our success, why wouldn’t we do it? That’s the $64,000 question.

I suppose IT professionals have a tendency to speak over people’s heads because we’re eager to share our knowledge and end up forgetting about the technical skills of the people we’re talking to. Maybe it’s because we’ve yet to realize our full potential as business professionals. Some is no doubt ego related. Regardless of the underlying reasons, we’ve got to stop it if we’re going to get people our side.

Here are some examples of what I’m referring to along with the message that really needs to get across:

IT Geeks speak:
A VLAN configuration issue has surfaced between our new Web app and the SQL back end.

What management needs to hear:
Our network configuration needs adjusting before we go live.

IT Geeks speak:
Our website is being DDoS’d.

What management needs to hear:
Our network is under attack.

IT Geeks speak:
SQL injection is present and it appears that a database table has been dropped.

What management needs to hear:
We missed a big security flaw and someone has exploited it.

Management doesn’t buy into web security nearly enough. And we’re part of the problem. Make the decision today to become a better communicator. Speak on the level of your audience not just blindly shove what you know down people’s throats. Doing so can provide unimaginable returns. You’ll get the web application security buy-in you need and it will help you with ongoing support moving forward. I can guarantee that fine-tuning this soft skill is something you won’t regret.

Stay up to date with the latest web security news, by liking the Acunetix Facebook Page. Also read the Acunetix Blog and follow us on Twitter.

Acunetix WVS already presents a very low number of false positive results. This build lowers the false positives even more by automatically specifying vulnerabilities that are definite positive results. Each vulnerability that is confirmed as being positive will be followed by a verifying notification. The verification process is therefore easier and much faster. You can focus on fixing discovered vulnerabilities, rather than spending hours checking all the scanned results manually. The scan reports generated by Acunetix WVS 8 are now even more accurate and effective for your web security.

The above example shows an SQL Injection vulnerability that has been verified as being positive. The verifying notification is shown in the vulnerability title from the scan results report.

How to Upgrade to Build 20120403:

On starting Acunetix Web Vulnerability Scanner 8, a pop-up window will automatically notify you that a more recent build is available for download.  To download the latest build, navigate to the General > Program Updates node in the Tools explorer, click on Download and Install the new build.

View the complete Acunetix WVS change log here.

Contact the Acunetix Team on support@acunetix.com for any technical queries or sales@acunetix.com for any sales information.

Stay up to date with the latest web security news, by “Liking” the Acunetix Facebook Page. Also, follow us on Twitter and read the Acunetix Blog.

During web scanning, Acunetix WVS will send thousands (sometimes even hundreds of thousands) of HTTP requests to the target website. If Acunetix WVS sends 20,000 HTTP requests to a website, and the average response time of the web server is 1000ms (1 second), then web scanning will take around 20,000 seconds to complete, or about 5 and a half hours.  A typical good web server response time is about 200ms. Server response time can vary depending on the speed of your internet connection and also on the performance of the server.

To help you shorten the web scanning duration, you can also increase the number of parallel HTTP requests that Acunetix WVS sends to the target server. These can be increased by navigating to the Tools Explorer> Configuration > Scan Settings > HTTP Options > HTTP General node.

The default number of parallel connections is 10, while the maximum can be set to 25. Please note that increasing the number of parallel HTTP requests can also result in flooding or overloading the web server with HTTP requests. Therefore, before making such changes ensure that the target web server can handle the increase in load.

This conference is part of a series of high-quality executive symposiums that are being held in 38 cities throughout the United States and Canada. This event aims to gather the industry leading and local security technology companies and IT professionals.

Up to 30 vendor exhibits will be present at the event and will host educational speaker sessions regarding present tech-security issues, such as website security, VoIP, LAN security, wireless security and much more. There will be a lot of giveaways and prizes on offer, with Jacadis presenting a $50 gift card to one lucky attendee.

For more information and to review the Tech-Security Conference agenda, click here.

The conference presents a good opportunity to ask any questions about Acunetix Web Vulnerability Scanner and to learn the latest news and strategies relating to IT Security. Visit Jacadis booth to find out more about the latest Acunetix release, Web Vulnerability Scanner 8 .

Event details

Location:
Embassy Suites Detroit – Livonia/Novi
19525 Victor Parkway
Livonia, MI 48152
Tel: 734.462.6000

Stay up to date with the latest web security news by “Liking” the Acunetix Facebook Page. Follow us on Twitter and read the Acunetix Blog.

The Acunetix Team today announced an updated build of the Web Vulnerability Scanner Version 8 (WVS 8). The new build, number 20120326, includes new security checks that detect even more vulnerabilities as well as a series of bug fixes.

New Security Checks

Acunetix WVS 8 now runs security tests for Joomla 1.6.x/1.7.x/2.5.x Privilege Escalation.
Acunetix WVS 8 now provides security tests Joomla 1.7/2.5 Core SQL Injection.

Bug Fixes

• The crash in the Login Sequence Recorder has been fixed.
• The Login Sequence Recorder is accurately parsing websites which send back GZIP encoded content, even if it was not specified in the Accept-Encoding header.
• The Acunetix Reporter has improved the handling of missing scans reports.
• The Acunetix Reporter Console supports spaces within the specified parameters.
• The Acunetix Reporter accepts longer input names.

Improvements

• More advanced security checks for MongoDB and Rails Mass Assignment.

How to Upgrade to Build 20120326:

On starting up Acunetix Web Vulnerability Scanner, a pop up window will automatically notify you that a more recent build is available for download.  To download the latest build, navigate to General > Program Updates node in the Tools explorer, click on Download and Install the new build.

Click here for the complete Acunetix WVS change log.

Contact us on support@acunetix.com for any technical queries, and on sales@acunetix.com for any sales queries.

To stay up to date with the latest web security news, join the Acunetix community by liking the Acunetix Facebook Page. Also, follow us on Twitter and read the Acunetix Blog.

During a web application security scan, Acunetix WVS  looks for these types of directories and alerts the user if they are discovered. Acunetix WVS also crawls and parses the contents of these hidden directories and uses the information gathered to reconstruct the site structure and find even more vulnerabilities.

For example, Subversion is using a hidden directory named .svn. Inside this directory there is a file named entries (/.svn/entries). This file contains a lot of sensitive information; all the files and directories present within the current directory, such as the usernames of people who have committed files in this directory, exact file modification dates and more.

Acunetix WVS reads this file, parses it and sends all the information to its crawler. By recursively parsing all these files, the crawler is able to completely reconstruct the site structure and discover hidden, debug, test files and directories left there by developers. Sometimes developers create SQL database backup files using hard to guess filenames, thinking that it is safe to leave such databases laying around. If the .svn directories are accessible, the crawler will find a list of all these files. As an example, I have downloaded an open source project called “cool-php-captcha”. As seen below, while crawling this web application, the crawler did not discover much because it does not contain an index page, and all the directory listings are disabled.

However, if you scan the same web application using Acunetix WVS, the final site structure will look like this:

As you can see, Acunetix WVS found all these .svn/entry files, parsed them and sent the information to the crawler. The crawler managed to reconstruct the whole website structure; all the files and directories from the repository. Once the site structure is reconstructed, Acunetix WVS will automatically scan all these files for vulnerabilities. Currently, Acunetix WVS can find CVS, SVN, GIT, Bazaar and Mercurial repositories and can parse SVN and GIT repository files. Support for parsing more formats will be added later.

How do you protect your repository from such a vulnerability? When the website source code is rolled out to a live server from a repository, it is supposed to be done as an export rather than as a local working copy. Otherwise you can restrict access to the hidden directories by using an .htaccess entry like the example below:

<DirectoryMatch .*\.svn/.*>

Deny From All

</DirectoryMatch>

If you’re not already using Acunetix Web Vulnerability Scanner, you can download the latest trial edition from here.

To stay up to date with the latest web security news, join the Acunetix community by liking the Acunetix Facebook Page. Also, follow us on Twitter and read the Acunetix Blog.

Various browsers send different User-Agent strings. For example, Internet Explorer 9 sends Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0). If you are using an iPhone 4, for example, you will have a User-Agent similar to this one: Mozilla/5.0 (iPhone; U; CPU iPhone OS 4_0 like Mac OS X; en-us) AppleWebKit/532.9 (KHTML, like Gecko) Version/4.0.5 Mobile/8A293 Safari/6531.22.7.

In order to improve the user experience, more and more websites display one version for users who access the website from their mobile devices and another version for users who access the website from their desktop computers. When accessed, these websites automatically know if you are using a mobile as they parse the User-Agent string. Also, some websites show some content when visited by Google, while showing other content to regular users.

For example, if you visit Facebook from a regular desktop computer you will see this page:

However, if you visit the same page from an iPhone, you will be redirected to a mobile version of the site that looks like this:

One of the new features in Acunetix Web Vulnerability Scanner 8 is crawling websites and automatically using various User-Agents during the same crawl. This allows you to discover far more content and vulnerabilities. To demonstrate this, we’ve built a simple website  that will show the user different content based on the User-Agent string being used.

When we crawled this website with Acunetix WVS 7, we could see  the below limited website structure. This is because Acunetix WVS 7 was using a fixed User-Agent throughout the entire crawl process and therefore it did not crawl the “different” versions of the website.

When we crawled the same website with Acunetix WVS 8, we could see a complete website structure. The crawler from WVS 8 will crawl the website with various User-Agent strings, (for example the default one, the iPhone User-Agent and the Googlebot user-agent) and will follow any new links with the original User-Agent.

The website is not just crawled using different User-Agent strings, but it is also tested with the User-Agent that it was discovered with. Here is one Cross-Site Scripting vulnerability (XSS) that was found with Acunetix WVS 8.

In conclusion, crawling a website using different User-Agent strings helps Acunetix WVS 8 to find more content (targeted to mobile users and/or Google) and discover more vulnerabilities.

If you’re not already using Acunetix Web Vulnerability Scanner 8, you can download the trial edition from here.

To stay up to date with the latest web security news like the Acunetix Facebook Page, follow us on Twitter and read the Acunetix Blog.

The Acunetix Team is pleased to announce an updated build of the Web Vulnerability Scanner Version 8 (WVS 8). This new built includes new security checks for more vulnerabilities, bug fixes as well as a series of new and improved features.

New Security Checks

• Acunetix WVS 8 scans Web Statistics Software Applications such as AWStats and Webalizer, crawls their result pages and notifies you if sensitive data is disclosed in such pages.
• Your website is now secured against ASP Code injection vulnerability.
• New security checks have been included for SQLite Databases.
• Acunetix WVS 8 provides security checks for Rails Mass Assignment.

New Features 

• Acunetix WVS 8 offers you the possibility to stop the website crawling and proceed with the scan at anytime.
• You can choose a scan report template that you would like to use when scheduling a scan.

 Improvements

• Scripts are being executed faster thus the scans are taking less time to complete.
• Improved security scripts for Blind SQL injection, Remote File Inclusion XSS, File Inclusion and Directory Traversal.
• If a variant check for a specific vulnerability times out, Acunetix WVS 8 continues to launch the next variant checks assigned for that type of vulnerability.

 Bug fixes 

• Crawler: input encoding was not correct for _EVENTTARGET = and /
• Ansi string was not working correctly when using specific languages other than English.

How to upgrade to build 20120305:

On starting up Acunetix Web Vulnerability Scanner, a pop up window will automatically notify you that a more recent build is available for download.  To download the latest build, navigate to General > Program Updates node in the Tools explorer, click on Download and Install the new build.

Click here for the complete Acunetix WVS change log.

Contact us on support@acunetix.com for any technical queries, and on sales@acunetix.com for any sales queries.

Nowadays, more and more people are using URL rewrite techniques to increase their “friendliness” to both users and search engines. With URL rewrites, a URL like http://www.site.com/cms/product.php?action=buy&id=1 is typically rewritten to something like:

http://www.site.com/buy/1.

Prior to Acunetix Web Vulnerability Scanner version 8 (WVS 8 ) we had two ways to deal with this type of situations:

1. We could install AcuSensor and the sensor will automatically detect URL rewrites and inform the scanner about the real filenames and parameters.
2. We could define URL rewrite rules (either by importing them from .htacess/httpd.conf or by manually add them).

Acunetix WVS 8 introduces a new feature to deal with rewritten URLs. It’s called Path Fragments. In WVS 8, the crawler will automatically parse URLs and try to detect if they are rewritten. In case they are rewritten, it will split them into path fragments and create input schemes for them. The Acunetix script engine will work with these input schemes and manipulate each of them looking for vulnerabilities.

To demonstrate this feature, I have prepared a small website that is using URL rewriting. The URL rewrite rules were defined using a .htaccess file. The URL rewrite rules are listed below.

RewriteEngine on
RewriteRule Details/.*/(.*?)/ details.php?id=$1 [L]
RewriteRule BuyProduct-(.*?)/ buy.php?id=$1 [L]
RewriteRule RateProduct-(.*?)\.html rate.php?id=$1 [L]

We’ve defined three rewrite rules. Here are some sample URLs

With these URL rewrite rules, the URL contains the description of the product and the product ID, as shown below.

The product ID is contained after the BuyProduct keyword.

The URL looks like a basic HTML file, though it is not. The product ID is contained inside the actual file name. Let’s see what is happening when we crawl this website with Acunetix WVS 8.

The Acunetix crawler created three input schemes after analyzing the URLs from this website.

1. An input scheme for the RateProduct URL. As you can see, the URL was split in three parts (a prefix /, one path fragment and one suffix .html). It generated 3 variations for this scheme and it will manipulate all the combinations from these variations.
2. An input scheme for the BuyProduct URL. Same situation One path fragment, 3 variations.
3. An input scheme for the Details URL. In this case there are two path fragments and 3 variations.

These input schemes are later sent to the script engine so the security scripts will test all the possible combinations and generate URLs like:

• /Mod_Rewrite_Shop/BuyProduct-1%27%22/ – test for SQL injection (%27%22 is ‘” URL encoded)
• /Mod_Rewrite_Shop/BuyProduct-2%27%22/
• /Mod_Rewrite_Shop/BuyProduct-3%27%22/
• /Mod_Rewrite_Shop/RateProduct-1%27%22.html
• /Mod_Rewrite_Shop/Details/web-camera-a4tech/1%27%22/
• and so on …

Because the path fragments do not have names like normal GET/POST/COOKIE parameters, it’s not possible to name them so you need to view the HTTP headers to see exactly where the vulnerability is present.  An SQL injection in a path fragment looks like this:

These type of vulnerabilities in path fragments are pretty common nowadays, but until now it was not possible to automatically check for and detect them.  By intelligently generating path fragments from all the URLs found on the scanned website, the Acunetix Web Vulnerability Scanner version 8 is able to find such vulnerabilities.

Whether you’re scoping Web security assessment for your own business or for your external clients, you’ve got to make sure that everything of significance is included in your projects. Even if you’re in charge of everything at a small shop, it’s easy for a system here or there to fly under the radar.

Some Web systems you can’t afford to not test include:

• Staging and development systems that are slightly-outdated mirrors of production (and often process  actual production data)
• Extranet/B2B systems
• Customer service sites
• Support portals
• Content management systems
• Websites and applications running on separate, non-standard domains
• Websites and applications hosted by third-parties that you’re still in charge of

Just when you think you’re looking at all the right systems in all the right places, you’ll no doubt come across one or more that you either weren’t told about or have forgotten about.

Ensuring you’re including everything in your Web security testing projects is like ensuring you’ve included every possible tax deduction at tax time. In so many situations we’re leaving money on the table and someone else gets to take advantage of it. This goes back to having good documentation. I know it sounds trite but having current network diagrams, host and application inventory spreadsheets, information flow diagrams and the like is absolutely critical for ensuring you’re not overlooking anything.

Work with your network infrastructure staff. Get on board with your software development and QA teams. Double-check with your clients to make sure you’ve got a comprehensive list of every system that needs to be tested. It’s as simple as that, but unfortunately, it’s something that’s taken for granted all too much.

Web security testing is difficult enough as it is. The last thing you need to do is overlook a critical system that’s gone untested for an untold amount of time. You’ll no doubt have systems with differing priorities. Just make sure you’re the one in control and making those decisions rather than some criminal hacker with nothing better to do. Focus on your most important systems first but every system (especially those that are publicly-accessible) needs to be looked at eventually. All it takes is one seemingly benign, untested and vulnerable website or application to get your business into a bind.

New Automation & Auto-Configuration Features Make Securing Your Website Easier and Faster

London, 16th Feburary 2012 – Acunetix, a name on the forefront of the web application security industry, today announced the 8th version of its popular Web Vulnerability Scanner product.

Through this new iteration of WVS, Acunetix reaffirms its position as a leader in the development of web application security scanners. Version 8 echoes years of counter-hacking experience through its new ability to lock hackers out by integrating scan results into Imperva’s Web Application Firewall, and by recognizing a new breed of vulnerabilities through new detection methods.

Additionally, Acunetix WVS 8 takes vulnerability scanning to a new level by integrating smarter and more reliable automated features, making it quicker to launch a scan with less configuration required.

“Acunetix WVS 8 continues to set new standards for web vulnerability scanners. Web security exploit statistics are steadily on the rise — unfortunately not in favor of website owners — which is why version 8 of WVS focuses on providing a comprehensive solution to anyone wanting to make their online presence a safe one. Acunetix WVS 8′s high performance scanning engine provides even more accurate exploit detection, and coupled with the new automation enhancements securing a web application has never been easier. WVS 8 makes it clear why Acunetix is the number one choice for companies to audit and secure their websites.”

Mr. Nick Galea | Acunetix CEO

New feature showcase:

An automated web scanner that thinks like a hacker

* Manipulation of inputs from URLs:
Acunetix WVS can automatically identify URL parameters and manipulate them to detect vulnerabilities. This technology is not present in any other competing vulnerability scanner.

Replace manual intervention with scanner intelligence

* Automatic custom 404 error page identification:
Acunetix WVS 8 can automatically determine if a custom error page is in use, and recognizes it without needing any recognition patterns to be configured before the scan.

Interpret IIS 7 rewrite rules automatically

Using the web application’s web.config file, WVS 8 can automatically interpret rewrite rules without requiring any manual input.

Fix vulnerabilities while locking hackers out

* Imperva Web Application Firewall integration:
An exciting co-operation between Imperva and Acunetix; WVS 8 scan results can be imported into an Imperva Web Application Firewall and interpreted automatically as firewall rules.

Use WVS 8 as a true security scanning workhorse

* Multiple instance support:
Acunetix WVS 8 can be relaunched as multiple instances on the same machine, allowing the user to scan multiple websites enabling further support for multi-user scenarios on the same server/workstation.

Re-scan without re-configuring

* Scan settings templates:
WVS 8 can save the settings for the scan of a specific application as a template, making it quick and easy to recall those exact settings for the same application each time it is scanned. This is particularly useful when auditing multiple sites, enabling the user to load the template for each site instead of re-configuring everything manually.

Launch a scan quicker than before

* Simplified Scan Wizard:
In addition to the introduction of Scan Settings Templates and automatic custom 404 error page recognition, the Scan Wizard contains far less options so it’s much easier and quicker to kick off a scan.

Access your results from anywhere and everywhere

* Web-based scheduler:
Accessible via a web interface, the new Scheduler allows administrators to download scan results from any workstation, laptop, or smartphone. The new Scheduler will automatically launch another instance of WVS when multiple web scans are due, preventing multiple processes from depending on the resources of one WVS instance, and thereby allowing scans to complete in less time.

Identify threats unseen by other black-box scanners

* New HTTP Parameter Pollution vulnerability class:
At the time of writing, Acunetix WVS 8 is the only scanner that tests for this security vulnerability.

Ensure complex scans will complete automatically and successfully

* Smart memory management:
The following settings have been added to optimise scanning efficiency:
Define number of files per directory
Limit number of subdirectories per website
Assign Crawler memory limit

Other New Features

• Real time Crawler status (number of crawled files, inputs discovered, etc.)
• Support for custom HTTP headers in automated scans
• Configurable log file retention
• Detailed Crawler coverage report
• Scan status included in report

Try Acunetix WVS

Download the trial edition of Acunetix Web Vulnerability Scanner v8

About Acunetix

Acunetix is a market leader in web application security technology. Founded in 2004, Acunetix customers include the London Stock Exchange, Cisco, NASA, the US Air Force, PriceWaterhouseCoopers, and many more.

For more information please visit: http://www.acunetix.com

Nowadays, many components from web applications are commonly run on the user’s computer (such as JavaScript), and not just on the application’s provider server (such as Servlets). As time goes by, there is the need for web applications to provide a multitude of services to their users while at the same time being consistent with functionality, interactivity and ease of use. For this reason, even the simplest web application may possibly obtain and process a plethora of different HTTP parameters. This could result in the exposure of an extensive variety of input validation or injection vulnerabilities, such as Cross-site Scripting, SQL Injection and Command Injection. A less acknowledged injection attack has been around for a long time, but has only recently begun to raise alertness in the web security world – HTTP Parameter Pollution (HPP).

This vulnerability was first presented by Stefano di Paola and Luca Carettoni in 2009 at the OWASP Poland conference. HTTP Parameter Pollution takes advantage of the fact that HTTP allows more than one of the same parameters to be used, which exposes some web applications to malicious users. HPP is a simple yet quite effective hacking technique which affects both client-side and server-side environments. When exploited, the impact of an HPP injection attack depends on the functionality of the web application. Despite its simplicity, the HTTP Parameter Pollution vulnerability can be very dangerous and can compromise your website and web application security systems.

The Acunetix Team has created a detailed whitepaper that explains in detail how an HTTP Parameters Pollution injection attack can be launched at the front-end (client) or the back-end (server) of the web application. We also recommend security measures that should be taken in order to determine if your website is vulnerable to HPP attacks.

Click here to read the whitepaper guide on How to Detect HTTP Parameter Pollution attacks.

Ask any information security manager or compliance officer and they’ll likely tell you that Web application security falls under the overall information risk umbrella. Along with network infrastructure security, endpoint security, physical security and so on; Web application security is a critical piece of the overall puzzle.

Looking at the big compliance regulations such as PCI DSS, HIPAA/HITECH and GLBA, they all cover information security best practices including:

• Policies
• Awareness and training
• Authentication
• Access controls
• System monitoring and activity review
• Incident response
• Disaster recovery

The same can goes for information security standards such as ISO/IEC 27002, NIST 800-53, etc.

Interestingly though, when it comes to Web application security, we often stop at the application-centric issues. We find and fix the SQL injection, cross-site scripting and other technical flaws and assume that’s all that’s needed for true Web application security. The reality is these other information security best practices – the non-sexy stuff like policies, audit logging and incident response – can be tied directly to Web application security.

Web application security shouldn’t stop prematurely with the technical issues. No business can afford to take that on. It’s up to us as IT, security and software development professionals to ensure Web application security is addressed at all levels.

Does your business have security policies?
If so, ensure your Web applications fall within their scope.

Do you use identity and access management processes and technologies?
If so, ensure your Web applications fall within their scope.

Does your business have security incident response and disaster recovery plans?
If so, ensure your Web applications fall within their scope.

Don’t manage information security risks in silos. That’s not a good long-term strategy. It’s not good for you, your business or anything related to what we do in IT.

Web applications are arguably one of the highest-risk components of any information security program and need to be handled accordingly. Make Web application security a big deal in your business…It is.

Improvements:

•  The accuracy of Script Checks has been increased. The Acunetix development team is dedicated to continuously improve scan detection of security checks.
• The Graphical User Interface (GUI) has been enhanced in order to make menu navigation and usage easier and more effective than ever before.
• SSL security audit script is launched automatically when scanning a HTTPS website, regardless if port scanning is enabled or not.
• Added a number of new SQL Injection variants checks.

Bug Fixes:

•  HPP detection security script failed when testing input scheme with excluded variants
•  Apply settings button not showing up in specific cases
• Fixed several issues related to pausing and resuming of crawler
• Fixed several issues when running multiple instances of the reporter
• Two backup files were being generated because of filename case insensitivity
• Filtering of wildcards from robots.txt

This release candidate of Acunetix Web Vulnerability Scanner Version 8 is considered complete, stable, and suitable for testing.

Testing Acunetix WVS Version 8 RC:
If you are interested in testing the Release Candidate build of Acunetix Web Vulnerability Scanner Version 8, and you already own an Acunetix WVS Enterprise or Consultant license with a valid maintenance agreement, contact us at beta@acunetix.com.

The Acunetix Web Vulnerability Scanner Version 8 Free edition can be downloaded from here.

Check out what’s new in Acunetix Web Vulnerability Scanner Version 8.

Let me explain why I didn’t validate everything. When you’re testing IP-based hosts, you often don’t need to manually validate every single finding – only occasionally. However, with Web applications, you need to validate just about everything to ensure you’re not documenting problems and solutions for issues that don’t even exist. I told the project manager that for an SSL certification flaw I uncovered, the scanner is providing the same information I’d be able to get via any other means. Ditto with a flaw that uncovered an outdated version of the server’s operating system.

Another flaw was regarding the internal IP address being exposed on the server. The project manager was specifically interested in that finding. I told him that the internal IP address uncovered was right before us in the scanner results. Although there may be some circumstances that warrant it, I’ve never found a need to manually validate this specific vulnerability. In fact, this one could be next to impossible unless you’re on the internal network, but that’s a different discussion. Either way, if the scanner finds an internal IP address, it finds an internal IP address. There’s no other explanation for how a scanner could come up with a random internal IP address that happens to match an internal IP addressing scheme (that I happened to know of) otherwise.

Be it a web vulnerability scanner or advanced penetration testing tools you use manually, you need reliable means to ferret out such information, especially if it’s to be reliable and accurate. But in most cases, based on my experience, you’re not going to have to double-check every single finding of a server host in this regard.

Keep in mind that not every flaw is the same. Some require true validation and some won’t even be found using automated tools. Testing for security vulnerabilities is as much of an art as it is a science and experience using the tools, knowing what to expect from them, deciphering their results and knowing what else to look for is critical. That still doesn’t mean we’ll find it all…there’s no way to guarantee that. As with radiologists and home inspectors, there are just too many variables and unknowns involved.

Regardless, Web application or IP-based host, if I, based on my knowledge and experience, believe something needs further manual analysis then I’ll do it. If not, I’ll leave it be and document it as such. Once you’re comfortable doing so, I recommend you do the same.

Interestingly, it ended up being that the client’s questions weren’t about whether or not I actually validated each and every finding, but rather whether or not the hosts I listed in the report were indeed affected. There’s a difference. Make sure you keep all of this in mind and everyone is on the same page as you move forward with your security testing. Proper scoping and advance planning are half the battle.

Look at any given physical security-related video or access control system and the technology is amazing. From high-definition to DVR storage to remote access, you can literally control your physical security systems from a simple Web browser or even a mobile app. The problem is these systems are getting lost in the information systems complexity present in the average enterprise. But they’re no different than any other Web-based system – the potential for Web related vulnerabilities is endless. All it takes is a rogue insider or, in certain cases, an external attacker to compromise the essence of your organization’s physical security.

There’s a bit of irony in it all.

When performing my information security assessments, any given video management or access control system is chock full of Web flaws such as cross-site scripting, cross-site request forgery and so on. There are also more general flaws such as default passwords, no SSL, no audit logging or alerts enabled – no nothing related to application security. To top it all off, these systems are rarely, if ever, patched. Typically a systems integrator installs the physical security systems with zero security in mind and the systems stay that way with no one monitoring them, no one maintaining them…there’s no accountability.

Anyone with ill intent has free reign to watch (and control) internal video cameras, cover their tracks by deleting logs and actual video files, setup backdoor accounts and so on – all the things that bad guys do.

Indeed, we have a long road ahead of us in securing physical security-related video and access control systems. I strongly believe that unless and until these systems are included in the scope of Web security testing, businesses, government agencies and everyone in between will continue to have these critical security flaws flying under the radar.

Like with any other computer system, if it has a URL or an IP address, it’s fair game for attack. Give these systems the attention they deserve.

Many of my clients use third-party managed firewalls and intrusion detection and are typically alerted to such attacks against FTP. Yet still, any login hacking attempt can make you nervous especially knowing that manual cracking is likely to fly under the radar of these controls. So the question becomes, is there anything you can do to be more proactive and prevent FTP password-cracking attempts from occurring in the first place?

The ultimate control is to remove FTP from public access but that’s often not a reasonable option. Managed firewall and IPS is another great option. Ditto with any in-house firewall/IPS you may have. Changing the default FTP ports can help prevent automated attacks. This will provide minimal value and may end up being more trouble than it’s worth but it’s an option nonetheless. Otherwise, the best you can do is ensure that complex passwords are in place and enforced and intruder lockout is enabled on the FTP server.

All of this starts with knowing how your Web/FTP servers are currently at risk. Running a simple port scan of your external-facing systems can uncover FTP that you may not have known about – or have forgotten about. I recommend going a step beyond that running a good vulnerability scanner of the host itself to see what FTP-centric flaws it uncovers. In the end, you’ve got to look at your Web servers from every angle. All it takes is one seemingly benign weakness to undermine everything you’ve worked so hard to harden and protect.

WVS 8 BETA 2 Change Log

The following updates have been included in the BETA 2 build of WVS 8:

Featured Improvements

• Additional .NET AcuSensor support for .NET versions 3, 3.5, 4
• Improved blind SQL injection timing tests for PostgreSQL
• Improved blind SQL injection timing tests for request-timeout situations
• Logs are now flushed to the log-file every 10 seconds when running in console mode
• Scheduler feature: notification bar appears if the connection with the server is lost

Bug Fixes

• Crash (runtime passive analysis) when “Disable Crawler Aerts” option is enabled
• Problem with logging of HTTP_Anomalies when running multiple instances
• Problem with writing to temp folder when running multiple instances
• Issue with saving application logs to an invalid folder when running the Scheduler
• Crash when multiple instances of WVS try to detect custom 404 error-page patterns
• Scan does not resume correctly when the Scheduler automatically resumes a scan
• Issue with retest functionality for web application scripts
• Proxy crash, commonly when the process is already executing
• Settings in use by another instance cannot be saved as a Scan Settings Template
• Reporter crash when the text in the alert details is too long
• Periodical vulnerability reports show incorrect publishing date
• Database ID allocation is now synchronized between multiple WVS instances
• Scan results cannot be download from the Scheduler since Internet Explorer 7 cache is not used
• HTML report format is missing from the Scheduler web interface
• Installer assigns full permissions to the license file (non-admin users receive an error when scanning)
• Fixed the Scheduler’s Add Scan dialog on Internet Explorer 9
• Errors related to a browser-tab do not appear if a different tab is being viewed
• Malfunction with some Advanced Penetration testing tools when used through a proxy server
• XSS tests are no longer case-sensitive
• Scheduler returns invalid error message when connecting to password-protected applications
• Scheduler not scanning password-protected applications
• Crash with AcuSensor for .NET
• False positives are saved for each user instead of globally
• Changes to application settings not synchronized across multiple instances
• Typos in UI
• Reporter RTF-export malfunction
• Reporter sets incorrect filename for exported and saved reports
• Text wrap working inconsistently across reports

Become a Beta tester

Are you a security researcher who’s passionate about website security? Do you want to stay current with the latest cutting-edge web security scanning technologies? Contact us at beta@acunetix.com to learn more. (Requests are subject to approval)

NOTE: Acunetix customers who already own an Enterprise or Consultant license with a valid maintenance agreement are automatically eligible to participate as beta testers.

The Acunetix WVS Version 8 user manual is available in PDF Format and also in HTML Format.

The major issue here is that selecting ineffective security testing tools can be a costly venture. I’ve burned thousands of dollars and countless hours on tools that seemed like a good fit based on their tricked out websites and fancy marketing slicks. But talk is cheap so buyer beware. You have to take these tools for a spin to see if they’re going to be a good fit based on YOUR style inside YOUR environment, and based on YOUR business needs.

Whether you’re doing the actual work or just want to make sure your IT and security staff members are using what’s best for the organization, the simple truth is that good security audit tools can and will make a difference. Always remember that there is no one best tool but if you’re smart about your approach you shouldn’t have to spend a lot of money to get the job done right. If you invest a relatively small amount time researching, asking prospective vendors tough questions and actually trying the tools before you buy them, then you can’t lose.

When you choose and use good tools, you’ll know it. Amazingly, you’ll minimize your time and effort installing them, running your tests, reporting your results – everything from start to finish. Most importantly, with a good web vulnerability scanner you’ll be able to maximize the number of legitimate vulnerabilities discovered to help reduce the risks associated with your information systems. At the end of the day and over the long haul, this will add up to considerable business value you can’t afford to overlook.

So what’s the ideal setup for intruder lockout? Well, every situation is different and every business has its own unique needs. That said, I often recommend locking accounts for certain period of time (i.e. 5-10 minutes) after 5-10 failed login attempts. You may also use some form of automated password reset logic in conjunction with this process. Even something like tarpitting failed login attempts (i.e. purposefully slowing them down) can be beneficial as long as the delay is reasonable or the accounts are eventually locked.

Enabling intruder lockout is a relatively simple fix given what’s at stake. Whether you’ve got basic HTTP, forms, or some type of multi-factor authentication, keeping track of login abuse can have great payoffs — especially given the bad choices people make regarding passwords. Granted, intruder lockout could have the reverse effect on security. If you’ve got an attacker with a set of legitimate user accounts (often email addresses which can be relatively easy to obtain), then he could conceivably attack accounts via login pages that have intruder lockout enabled and effectively create a denial of service situation. You’ve got to determine what the greater risk is – password cracking or potential denial of service.

In many situations, intruder lockout on web login pages can eliminate a considerable amount of risk – especially in situations where you offer a SaaS/cloud solution and you’re not at liberty to control the enforcement of certain things like password complexity. Do what you can to set your users up for success. Even if they choose to use weak passwords, intruder lockout will at least help minimize the risk of successful password cracking.

We look forward to your comments.

You can watch a high quality version of this video on YouTube.

Many of you have been biting their nails in anticipation of this Beta, so sit tight and read on for the next most important stage in the evolution of Acunetix WVS.  Version 8 of Web Vulnerability Scanner has been optimized to make life easier at every stage of a security scan. WVS is easier to use for web admins and security analysts alike: enhanced automation, ability to save scan settings as a template to avoid reconfiguration, and multiple instance support for simultaneous scans of several websites. WVS 8 also ushers in a new exciting co-operation between Acunetix and Imperva: developers of the industry’s leading Web Application Firewall.

If you are interested in testing the new BETA of Version 8, and you already own an Acunetix WVS Enterprise or Consultant license with a valid maintenance agreement, contact us today at beta@acunetix.com.

The FREE version of Acunetix WVS 8 BETA can be downloaded from here

New to WVS 8

Manipulation of inputs from URLs

Acunetix WVS can automatically detect URL parameters and manipulate them to detect vulnerabilities. This technology is not present in any other competing vulnerability scanner.

Automatic IIS 7  rewrite rule interpretation

Using the web application’s web.config file, WVS 8 can automatically interpret rewrite rules without requiring any manual input.

Support for custom HTTP headers

To function correctly, some web applications need incoming requests to contain specific HTTP headers. It is now possible to define custom HTTP headers to be used during automated scans.

Imperva Web Application Firewall integration

An exciting co-operation between Imperva and Acunetix: WVS 8 scan results can be automatically imported into an Imperva Web Application Firewall and interpreted as rules.

New vulnerability class: HTTP Parameter Pollution

At the time of writing, Acunetix WVS 8 is the only scanner that tests for this security vulnerability.

Multiple instance support

Acunetix WVS 8 can be relaunched as multiple instances on the same machine, allowing the user to scan multiple websites and opening up further support for multi-user scenarios on the same server/workstation.

Redesigned Scheduler

Accessible via a web interface, the new Scheduler allows administrators to download scan results from any workstation, laptop, or smartphone. The new Scheduler will automatically launch another instance of WVS when multiple web scans are due, preventing multiple processes from depending on the resources of one WVS instance and thereby allowing scans to complete in less time.

Automatic custom 404 error page recognition and detection

Acunetix WVS 8 can automatically determine if a custom error page is in use and recognizes it without requiring any custom 404 recognition patterns to be configured for a scan

Scan settings templates

WVS 8 now allow the settings for the scan of a specific application to be saved as individual templates, making it quick and easy to recall the exact settings for a website each time it is scanned. This is particularly useful when scanning multiple sites, allowing the user to load the template for each site instead of re-configuring all the settings manually.

Simplified Scan Wizard

In addition to the introduction of Scan Settings Templates and automatic custom 404 error page recognition, the Scan Wizard contains far less options so it’s much easier and quicker to kick off a scan.

Smart memory management

The following settings have been added to ensure even the most complex scans will complete automatically, and successfully:

• Define number of files per directory
• Limit number of subdirectories per website
• Assign Crawler memory limit

Real-time Crawler status

Crawler data is now updated in real-time information and provides live feedback how many files have been crawled, how many inputs have been detected, and more.

Scan termination status included in report

Reports now include the termination or completion status of each vulnerability scan. For example: the report will display if the scan was completed successfully or halted manually.

Web application coverage report

A new reporting option in report templates that lists all the web application files that has been tested, and also lists the specific vulnerability tests performed on each file.

Log file retention

It is now possible to define the retention span before log files are automatically flushed; to ensure logs are not deleted each time WVS is restarted.

Significant WVS 8 improvement 

Improved web security check scripts

• All security check scripts have been optimized to reduce false positives even further
• The scanner checks for the latest variants of vulnerability classes like XSS, SQL injection, and more.

Become a Beta tester

Are you a security researcher who’s passionate about web security? Do you want to stay current with the latest cutting-edge web security scanning technologies? Contact us at beta@acunetix.com to learn more. (Requests are subject to approval)

Acunetix customers who already own an Enterprise or Consultant license with a valid maintenance agreement are automatically eligible to participate as beta testers.

The Acunetix WVS Version 8 user manual is available in PDF Format and also in HTML Format.

Subject matter

• Jerod Brennen: This presentation will provide insight into the Social Media Audit/Assurance Program issued by ISACA from a practitioner’s perspective. Auditors will gain insight into social media programs from an operational perspective to bridge the gap between implementation and audit. Attendees will learn: What they should audit in a social media program, how to introduce social media auditing to the organization, and resources for staying current in social media security trends.
• Rob Barnes: The evolution of software to a service (SaaS) delivery model frees users from the limitations of traditional infrastructure such as scalability, performance bottlenecks, and capacity. But these are raditional infrastructure such as scalability, performance bottlenecks, and capacity. Data breaches and audit failures can occur just as easily within the cloud as within traditional computing infrastructures.
•  Angie Singer Keating: Attendees will be introduced to the fundamentals of IRP and will learn how to craft and implement an incident response planning program which relies on processes and documentation. A special emphasis will be placed on the requirements, responsibility, processes and procedures needed to provide a rapid and reliable incident response capability.
•  Tim Maloney: IT Governance has become a focus area for both IT and Web Security Audit organizations. Recent research shows that IT organizations see IT governance activities as areas “needing improvement” in their organizations. Similarly, Internal Audit departments are increasingly being asked to assess the strategic performance of IT and to consider the appropriateness of the IT organization‟s response to new and emerging risk areas.
• Don Shepherd: This presentation will focus on: The Encryption/Masking of sensitive data, Separation of duty (How to control when and where a DBA can use elevated privileges, providing fine grained access control for DBAs), and Audit/Monitoring activity (Database activity monitoring, know what happens and when inside your database.)

Event details

Location:
Four Points Sheraton
Pittsburgh North
910 Sheraton Drive
Mars, PA 16046
(724) 776-6900
Registration – 7:15 a.m.
Session – 8:00 – 4:1

Cost:
ISACA Member – Free
Non-Member – $30
Students – $10

Registratio deadline:
November 30, 201