Tenable Network Security Podcast Episode 187 - "Exposing Web Application Vulnerabilities"
- We're hiring! - Visit the Tenable website for more information about open positions.
- Check out our video channel on YouTube which contains new Nessus, PVS, and SecurityCenter tutorials.
- Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
- Want to ask questions about Nessus, PVS, SecurityCenter, and LCE and get answers from the experts at Tenable? Join the Tenable Discussions Forum for custom scripts, announcements, and more!
- You can subscribe to the Tenable Network Security Podcast on iTunes!
Discussion & Highlighted Plugins
- Digging For Gold: Finding Vulnerable Web Applications - The Passive Vulnerability Scanner has many strengths, one of which is its ability to pick out vulnerable web applications in your environment. Over the years working for several different organizations, this has been a re-occurring problem. Specifically, when you work for an organization large enough to have folks deploying their own applications (and it doesn't have to be that large of an organization to have this problem). Web applications help solve a problem, whether it be a blog for corporate communications or a photo gallery for a student group. It's too easy to choose the wrong application, or install an application today that introduces a serious vulnerability down the road. While you can scan using traditional network-based scanning, asking your administrators to keep tabs on installed applications or manually audit your web servers, you will undoubtedly miss something. For systems administrators, this can be a tough task because a web application can be represented by a collection of downloaded files, not part of the operating system package management system. By listening to the network traffic, applications and their vulnerabilities can be easily spotted.
- Top Problems: Patches, Virtualization/Cloud, and Mobile/BYOD - Jack Daniel and I presented 3 webcasts in a 4-part series called "Vulnerabilities Exposed". We highlighted several problem areas for organizations. First, we covered the patch problem – how organizations still struggle to keep things patched and how you can reduce your patch cycle. Then, we took on virtualization and cloud. These two technologies are in large part responsible for changing the face of IT as we know it, and altering your security strategies forever. We now have a much greater attack surface and more applications outside of our control than ever before. Recently, we took a look at the mobile and BYOD problem. Not just limited to smartphones and tablets, today's workforce has more technology available to them than ever before. Using Tenable products we outlined techniques to stay ahead of this problem. Finally, on November 12th, Jack, Renaud Deraison, and I will talk about how to take all of the information our products collected on these vulnerabilities and threats and distill them down for management.
- RuggedCom Rugged Operating System < 3.12.2 Multiple Vulnerabilities
- Adobe RoboHelp 10 Unspecified Memory Corruption (APSB13-024)
- XEROX ColorQube Device Detection
- XEROX WorkCentre Multiple Unspecified Vulnerabilities (XRX13-006)
- XEROX ColorQube Multiple Unspecified Vulnerabilities (XRX13-006)
- HP LaserJet Printers Multiple Vulnerabilities
- IBM DB2 and DB2 Connect Detection (credentialed)
- DB2 10.1 < Fix Pack 3 Multiple Vulnerabilities
- DB2 10.1 < Fix Pack 3 Multiple Vulnerabilities (credentialed)
- Cisco NX-OS Software BGP Denial of Service Vulnerability (CSCtn13055)
- Mac OS X : Java for OS X 2013-005
- Mac OS X : Java for Mac OS X 10.6 Update 17
- Oracle Database October 2013 Critical Patch Update
- MySQL 5.1 < 5.1.71 Server Optimizer Denial of Service
- MySQL 5.5 < 5.5.33 Multiple Vulnerabilities
- MySQL 5.6.x < 5.6.13 Multiple Vulnerabilities
- VMSA-2013-0012 : VMware vSphere updates address multiple vulnerabilities
- Siemens SCALANCE X-200 Authentication Bypass
- Siemens SCALANCE X-200 Web Session Hijacking
Passive Vulnerability Scanner
- ZenPhoto Cross Site Scripting and SQL Injection Vulnerabilities
- Beck IPC Embedded SCADA server detection
- Hirschmann Automation and Control Embedded SCADA server detection
- OnCell Wireless SCADA server detection
- Solar Log SCADA server detection
- Stulz Air Conditioning SCADA server detection
- Dropbear SSH Memory Corruption Denial of Service and User Enumeration Weakness
- Apache 'mod_fcgid' Module Heap Buffer Overflow Vulnerability
- RuggedCom Rugged Operating System Multiple Security Vulnerabilities
Security News Stories
- Tenable Network Security Expands EMEA Team
- SAI Global Deploys Tenable Network Security to Combat Security Vulnerabilities and Compliance
- Doctors disabled wireless in Dick Cheney's pacemaker to thwart hacking
- Ten Physical Security Tips for Mobile Devices | Cyveillance Blog - The Cyber Intelligence Blog
- Capturing The Flag, SQLi-Style | Dark Reading
- Researchers uncover holes that open power stations to hacking | Ars Technica
- From China, With Love | /dev/ttyS0