Week in Security: Web Flaws, New Strategies


Here's a rundown of some of the events, announcements and other happenings in informa-tion security last week:

•A group of security experts released a top 10 list of Web application security vulnerabilities. Unvalidated parameters, or failure to validate Web request information, topped the list created by the Open Web Application Security Project (OWASP). Other top flaws included broken access control, broken account and session management, cross-site scripting (XSS) flaws, buffer overflows and command injection flaws. The list, which includes full descriptions of the vulnerabilities and recommended protection measures, is available at www.owasp.org.

•Atlanta-based Internet Security Systems unveiled a strategy that aims to expand the capabilities of intrusion detection. Key to the ISS Dynamic Threat Protection strategy is a new version of its SiteProtector centralized management system, which manages ISS RealSecure sensors on desktops in addition to sensors on networks and servers. A new module for SiteProtector 2.0 called Fusion will correlate threats and vulnerabilities to reduce the number of alerts issued. SiteProtector 2.0. is slated for availability Jan. 29. The Fusion module is slated for March. ISS also announced a partnership with Crossbeam Systems, Concord, Mass., to offer its intrusion-protection software on Crossbeam's X40S security appliance and also will work with PowerTech, Kent, Wash., to provide security for IBM iSeries servers.

•Trend Micro, an antivirus vendor based in Cupertino, Calif., expanded its Enterprise Protection Strategy (EPS) with new products and services. The company expanded the reach of its Outbreak Prevention Services in EPS to desktops and file servers and beyond the Windows platform to support Sun Solaris and Linux. The services also now support NetScreen Technologies products. The company also unveiled enhancements to Control Manager 2.5, which provides centralized management for its products and services.

•Symantec posted third-quarter earnings that swept past Wall Street estimates. The Cupertino, Calif.-based vendor reported income of $72 million on $376 million in sales for its third quarter. That compares to a net income of $100,000 million on $290 million in sales for the same quarter last year. Symantec's pro forma income of $77 million, or 47 cents per share, compared with Thomson Financial/First Call consensus estimates of 39 cents per share. The company also announced an alliance with PricewaterhouseCoopers to combine its security solutions with PWC's security services for enterprise customers. The alliance will provide customers with a security "dashboard" that gives customers a view of their entire security operation, the companies said.