Feeds:
Posts
Comments

Posts Tagged ‘Vulnerability Assessment’

unified-vulnerability-management-suite-espincorp.png

Background

With the recent Gartner published new market guide with the introduce of “container security” be part of the vulnerability management, Tenable be the only one possess that by bought over FlawCheck last year and introduce Tenable.io platform in the market, the market change again.
Tenable.io also introduce web application security (WAS) as part of the platform offering. With Container security and web application security, it now cross over to leading container security and enter into what we traditional called application security market (traditionally occupied by web vulnerability scanner and static source code analyzer vendor). Rapid7 from the past bought over NTO and enter into application security as well, by rebranding it as AppSpider product. We will expect all will catch up on the container security, most likely acquired existing player who offer it.
Technology keep changing from years, where from the past on the cloud and online, software as a service (SaaS) model, with emerge of Qualys as the leading player on that field. With the latest acquired and integration of other new technology take place, the real differentiator for major player become minimal, we can expected major vendor will try to introduce unique and specialized area and be differentiate themselves over another (take over, merger and acquisition is the obvious option for enter market rapidly) .
With application security in depth alone, traditionally Tenable do not enter in the past, where dominance by web application scanner offer dynamic , static application security testing technology (DAST, SAST) or new interactive application security testing (IAST). We can expect the market will be changing again.
Traditional vulnerability management or specialized web application scanner become more generic offering, and the price point is bring down significantly as technologies matured and more me-too product introduce in the market. Available of open sources alternative, let enterprise market who willing to paid for commercial offering being the primary target for all the commercial vendor.
We also saw the trend for traditional penetration testing tool vendor attempt to enter vulnerability management market. With the Rapid7 acquired Metasploit in the past and the recent Core Security make the vulnerability management offering.
We also see the trend for company used to offer SAST now try to enter DAST in application security field. For mobile application security testing (Mobile AST) as new technology also rising demand for today mobile application driven business.
On the other end, we saw the smaller vendor who previously focus on one tool product now day also attempt to expand their offering to large audience. Big player is extend their product with niche product/ to penetrate those previously recognize as niche as well.

Future of Vulnerability Management

Predicting for near future product-market

future-of-application-security-market.png

  • Mobile application security testing (Mobile AST) will be included in Application Security Testing (AST) tool market (together with DAST, SAST, IAST).
  • Container Security will be one of the unique, and slowly all the major player will incorporate into their offering (whether as a option or bundled).
  • Unified of vulnerability management and application security in the near future (and eliminate some of the player that can not transit over the new changing market reality).
  • Standalone and niche focus product that easy to be use continue to be play a role in the market for those who look for solving specific purpose, both generic and specialize product /tools continue to be available for those who need them.
  • Shift left (move from product security to software development) trend, more and more customer look for integrated tool to streamline the vulnerability/security fixing cycle as early as at the early development process.

security-risk-mnagement-SRM-espincorp.png

  • Trend toward threat/vulnerability management (VTM) slowly emerge and recognize as single unified process (threat assessment -> vulnerability assessment -> risk analysis) to streamline the whole process for address enterprise threat/vulnerability and risk analysis / security risk management (SRM).
The future of vulnerability management suite, depend on the end user requirement. For complex enterprise requirement, will include the above unified vulnerability management suite aspect/functional module or option in the package bundled.
As you can see for the market product shift underway, if you want to make any major decision for the short term, for sure, license subscription (LS) is the way to go, since it is pointless to own “outdated product” and pay significant investment upfront that you may or may not really found it relevant to the changed market at all.
E-SPIN Group being vulnerability management, application security and penetration testing product and solution provider for over 13 years in the market. E-SPIN will continue to be active in the business domain and helping customer to make right investment that yield return of investment.
Feel free to contact our E-SPIN solution consultant for any project or operation requirements.
Advertisements

Read Full Post »

It is a very typical scenario Enterprise/government IT Auditor, compliance officer and security consultant required customise Windows Server password length policy from software default 12 characters to higher or lower length to full fill company or local regulatory requirements.

So below it is a very typical example, when you can change the configuration from default state  to your requirements.

Example below shows the password length 8 characters:

Audit_Password_from_12_characters_to_8_characters

How to change?

Answer refer below steps:

  1. To proceed this changes can go through Audit Customization.
  2. From the UI, go to Tools –> Customize Audits –>
  3. Type 6411 in the Audit box –>
  4. Click the orange pen to make changes to the Audit.

Read Full Post »

For those who are unable to attend the Acunetix v10 Whats New training event, here the extract video clip for the event. Product Demo is coming next. Stay tune.

Read Full Post »

acunetix10

E-SPIN delighted to announce the release of Acunetix Vulnerability Scanner version 10. The new version includes an improved Login Sequence Recorder for automatic scanning of login protected pages, extends support for Java Frameworks, Ruby on Rails and WordPress security scanning, and can use input from various web development and pen-testing tools.

New in Acunetix Vulnerability Scanner v10

  • ‘Login Sequence Recorder’ has been re-engineered from the ground-up to allow restricted areas to be scanned entirely automatically.
  • Now tests for over 1200 WordPress-specific vulnerabilities in the WordPress core and plugins.
  • Acunetix WVS Crawl data can be augmented using the output of: Fiddler .saz files, Burp Suite saved items, Burp Suite state files, HTTP Archive (.har) files, Acunetix HTTP Sniffer logs, Selenium IDE Scripts.
  • Improved support for Java Frameworks (Java Server Faces (JSF), Spring and Struts) and Ruby on Rails.
  • Increased web services support for web applications which make use of WSDL based web-services, Microsoft WCF-based web services and RESTful web services.
  • Ships with a malware URL detection service, which is used to analyse all the external links found during a scan against a constantly updated database of Malware and Phishing URLs.

Acunetix10-technical-overview

Continue with E-SPIN long term tradition, two round of technology briefing for what news will be hold on following date, totally free of charge and fully sponsor by E-SPIN for existing channel partner and end user.

Acunetix10-agenda

    • 28 July 2015 (Tuesday) Channel reseller partner track open for reseller partner understanding the what new and related go to market (GTM) channel support activities. Reseller interest to attend, please click here for registration.

Eventbrite - E-SPIN Complementary Acunetix 10 Technical Overview (Reseller Track)

    • 29 July 2015 (Wednesday) End user track open for end user company understanding the what new and related benefits of adoption, prepare for migration and upgrade. End user interest to attend, please click here for registration.

Eventbrite - E-SPIN Complementary Acunetix 10 Technical Overview (End User Track)

Contact us for any inquiry for the event or product information.

Acunetix also updating the features in the online version of the product, (Acunetix OVS). The new version includes automated scanning of login protected pages and extends support for Java Frameworks, Ruby on Rails and WordPress security scanning.

Modified Pricing Modules
Pricing for Acunetix WVS Enterprise and Consultant licenses have been changed. Licensing models are now limited to:

  • Enterprise 2 concurrent scans (perpetual and subscription)
  • Consultant 5 concurrent scans (perpetual and subscription)
  • Consultant 10 concurrent scans (perpetual and subscription)

Please note that:

  • Small Business Edition will no longer be supported
  • Both the Enterprise and Consultant licenses will include one year of free maintenance. Contact E-SPIN for further detailed.

Read Full Post »

Cloud and Virtualization Security

Cloud and Virtualization Security

Like it or not, more and more company IT infrastructure was migrated from physical to “private cloud” or “public cloud” to leverage shared and  highly scalable multi-tenant cloud infrastructure.

Traditional vulnerability management vendor is make their effort to complete their unified solution capable to covered traditional infrastructure, mobile and “cloud and virtualisation infrastructure”.

Are vulnerability assessment of the virtual is the same as the physical? The answer is yes and no. The answer is yes, you still need to audit accordingly to the infrastructure, network, wireless, application, database, server, operating system, web application and so on. The answer is also no, you got to covered additional layer – cloud and virtualisation layer, the potential vulnerability caused by virtualisation platform vendor and their respective technologies.

A good vulnerability assessment tool always capable to let your configured and audit additional layer of mobile as well as cloud/virtualization infrastructure.

From the day one, E-SPIN have pick up the best of the breed vendor to develop our complete product lineup solution that cover unified vulnerability assessment for generic use to special assessment tool for real IT auditor, security professional and compliance officer who need the right tools to deliver their duties.

Whether for the unified vulnerability management, on premises or hosted, E-SPIN is provide truly practical choice of vulnerability management mix accordingly to your budget and operation requirement, backed with our pre-sales solution consultant, implementation and onsite support team.

Please feel free to contact us for advice how to choose the right vulnerability management solution accordingly to your operation requirement. Just write in with the subject line “RFI – Vulnerability Management for Cloud Infrastructure” and attend to our sales(a)e-spincorp.com, our assigned personnel will contact your for your request.

Read Full Post »

Cyber-Attack

Cyber security is the set of “measures taken to protect a computer or computer system against unauthorized access or attack. Therefore, it is highly critical for enterprises to have an in-depth cyber security strategy and plan in place in order to provide the maximum level of protection from cyber security risks at not just the network perimeter but also the application layer.

The first and oldest wave is nuisance hacking, in which there is little material impact to the company. A classic example is hackers defacing your company’s website. More serious and widespread is the second wave, which is hacking for financial gain.

As business has migrated to the digital world, criminals have, too. What has emerged is a sophisticated criminal ecosystem that has matured to the point that it functions much like any business—management structure, quality control, offshoring, and so on. This type of hacking now goes beyond blindly stealing customer credit card information or employee passwords. For example, hackers might target a company’s financial function in order to obtain its earnings report before it is publicly released. With such advance knowledge, they can profit by acquiring or dumping stock.

Protecting the business from cybercrime is one thing, but companies also must worry about a new type of risk—the advanced persistent threat. If you think the term sounds like it’s out of a spy movie, you’re not far off. This type of hacking is predominantly about stealing intellectual property and typically is associated with state-sponsored espionage. The motives go beyond financial gain. Experts may quibble about the specifics of this type of attack and whether it always has involved use of advanced techniques, but this is a serious and growing threat. It is not an understatement to say that what’s at risk is not only your intellectual property but possibly national security.

Protect business from cyber attacks

With so many risks, business leaders may be unsure of where to focus. In our experience, it is crucial to elevate the role of information security in the organization and emphasize the fact that it is not just a technology function. As a make-or-break business issue, it requires a leader who reports directly to a senior executive. The title of the person—chief security officer, chief information security officer, security director—isn’t what matters. Instead, it’s the ability of that individual to bring security issues to the C-suite and help the management team think and talk about how security affects every other business decision.

Effective security leaders consistently demonstrate the linkages between security and the company’s goals. They remind the rest of the management team that security is a strategic issue. In the survey, the Front-runner group emphasized this approach by citing client requirements as the driving force behind the company’s information security investments. The other respondents pointed to legal and regulatory requirements as the main justification for information security spending in their organizations.

An organization that embraces this mindset, for example, might engage the security leader and the sales leader, together, to consider how better information security can help close or speed sales. They might determine that having well-documented information security controls, processes, or certifications in place enables them to anticipate and address customer concerns immediately when or before the issue first is raised.

Some companies we work with find it effective to have security leaders embedded within each business unit. These individuals report to line-of-business heads and work directly with them to evaluate how security can support each group’s business goals.

Feel free to contact E-SPIN for any requirement related to CyberSecurity. E-SPIN have being worked with national cybersecurity authority, multinational corporation on the various CyberSecurity Center, Vulnerability Assessment Center, Security Operation Center, Vulnerability Assessment Lab setup, from supply, commissioning, maintenance, knowledge and technology transfer, main/sub contracting to managed services engagement.

Read Full Post »

Retina CS enables IT Security professionals to centrally manage organization-wide IT security – physical, virtual, mobile and cloud – from a single, web-based console. It is the only unified vulnerability and compliance management solution that integrates security risk discovery, prioritization, remediation, and reporting, which dramatically decreases the time and effort required to manage IT security. 

Retina Insight: Get actionable reporting, analytics, and trending across the vulnerability lifecycle via this powerful reporting engine, included with Retina CS at no additional cost.

– Configuration Compliance: A Retina CS Add-on Module: Simplify how you audit and report on common industry configuration guidelines and best practices.

– Regulatory Reporting: A Retina CS Add-on Module: Choose from Regulatory Reporting packs to automate how you navigate through the increasingly complex regulatory landscape.

– Patch Management: A Retina CS Add-on Module: Close the loop on vulnerabilities by providing integrated, automated, agent-less patching from a single console

Retina CS Dashboard

E- EYE SOLUTION SUITE

1. Retina Network Security Scanner

Identify known and zero-day vulnerabilities using the industry’s most mature and effective vulnerability scanning technology.

2. Retina.GOV
Rely on integrated end-to-end vulnerability and compliance management designed specifically for Government departments and agencies.

3. Retina Web Security Scanner

Rapidly and accurately scan large, complex websites and web applications to assess web-based vulnerabilities.

ADDITIONAL SECURITY PRODUCTS

1. Blink Endpoint Protection

Augment existing security products with integrated multi-layered endpoint protection in a single, lightweight client.

2. Iris Network Traffic Analyzer

See analysis and integrated forensics reporting on network security traffic.

3. SecureIIS Web Server Security

Ensure protection for Windows IIS Servers by preventing known exploits, zero day attacks, and other harmful web server traffic.

Retina CS from eEye provides a lot of functionality – beyond just vulnerability scanning – in an easy-to-use format. It is a great value for almost any environment.

As a sole Retina Solution distributor in the Asia-Pac region, Please feel free to contact E-SPIN for your inquiry and requirement, so we can assist you on the exact requirement in the packaged solutions that you may required for your operation or project needs.

Read Full Post »

Older Posts »