There have been some massive hacks recently due to Flash -

- Hackers Exploiting Latest Adobe Flash Bug On Large Scale
- Adobe Patches Latest Flash Zero Day Vulnerability
- Adobe Promises Patch For Flash 0-day Being Used In Targeted Attacks

Those 3 were all in 2011!

Adobe has released a beta version of Flash Player for Firefox, which has better protection against vulnerability exploits because of a new sandboxed architecture.

“The design of this sandbox is similar to what Adobe delivered with Adobe Reader X Protected Mode and follows the same Practical Windows Sandboxing approach,” said Peleus Uhley, platform security strategist at Adobe, in a blog post on Monday. “Like the Adobe Reader X sandbox, Flash Player will establish a low integrity, highly restricted process that must communicate through a broker to limit its privileged activities.”

In secure software development, sandboxing refers to the practice of isolating a process from the operating system in order to minimize the fallout of a potential exploit. This type of technology has gained popularity in recent years, primarily because of its use in Google Chrome, a browser that has never experienced a successful remote code execution attack so far.

Adobe decided to implement sandboxing in Adobe Reader back in 2010 in order to counter the large number of exploits that targeted the product and its users. The technology was built into Adobe Reader X (10.0) and is based on the same sandboxing principles that Google used when developing Chrome.

Later that same year Adobe also launched a sandboxed version of Flash Player for Chrome and promised to explore the possibility of doing the same for other browsers. The new sandboxed Flash Player for Firefox, which works with Windows Vista and Windows 7, is the result of those efforts.

They have been talking about sandboxing for a long time and did mention they wanted to sandbox Adobe PDF Reader too, Chrome has had great success with it’s sandbox model and I’m sure many more software vendors will follow suit.

It’s good to see this approach with the web becoming an extremely dangerous place and more and more commerce is moving online, this gives us a deadly mix of poor security and lots of money floating around.

Critical Flash Player vulnerabilities have regularly been exploited to infect computers with malware during the past several years. Along with Java and Adobe Reader, Flash Player is one of the most attacked software applications, because its vulnerabilities can usually be exploited by simply visiting a malicious website.

“Since its launch in November 2010, we have not seen a single successful exploit in the wild against Adobe Reader X,” Uhley said. “We hope to see similar results with the Flash Player sandbox for Firefox once the final version is released later this year.”

However, the success of this version at deterring cybercriminals from writing Flash Player exploits in the future will largely depend on how quickly it gets adopted. In order to speed up the process, Adobe is working on a new update mechanism, the company’s senior manager for corporate communications, Wiebke Lips, said.

Having a sandboxed version of Flash Player for every major browser, not just Chrome and Firefox, is also important, if Adobe wants cybercriminals to lose interest in its product. “We are currently in the process of researching the best path to provide Flash Player sandbox protection for Internet Explorer,” Lips said.

However, because Internet Explorer has a completely different plug-in architecture than Chrome and Firefox, namely ActiveX, developing a sandboxed Flash Player version for it requires a different approach, Lips said. Nevertheless, the current version of Flash Player supports Protected Mode in Internet Explorer 7 or later on Windows Vista and Windows 7.

I’d like to see them implement a much better and more user-friendly update system for Flash player, so when the update comes out more users get it ASAP.

Also, this is only for Firefox and the largest target for malware peddlers is Internet Exploder Explorer – so they better get that version sorted out soon too.

Source: Network World

It’s a pretty bumper crop of patches though with 13 bulletins and 19 vulnerabilities fixed, the highest profile one being a patch for the zero-day vulnerability exploited by Duqu.

The pulling of the BEAST patch is good in a way though I guess, it shows that Microsoft are doing comprehensive compatibility testing to ensure the patches don’t cause any problems (including with 3rd party software).

Microsoft released 13 security bulletins addressing 19 vulnerabilities overnight, as part of a bumper final Patch Tuesday of the year.

Highlight of the baker’s dozen is a patch for the the zero-day vulnerability exploited by Duqu (sibling of Stuxnet) worm back in October. Fixing the underlying flaw exploited by Duqu involves the resolution of a problem in how Windows kernel mode driver handles TrueType font files.

Aside from this critical update the batch includes an update to address a critical flaw n Windows Media Player. A cumulative security update of ActiveX kill bits is covered by the third, and final, critical update this month. The other ten bulletins address less severe (important) flaws in Windows, IE and Office. Altogether its a desktop-heavy patch batch, as you can see from Microsoft’s summary here.

Microsoft originally promised 14 bulletins for the December edition of Patch Tuesday but one has been pulled, probably for quality control reasons. The original anticipated 14th bulletin was for the BEAST attack, but did not make it in time for the holidays due to a last minute software incompatibility uncovered during third party testing, security services firm Qualys reports. The absence of this fix means that Microsoft has issued a grand total of 99 bulletins this year, one less than the ton up that might have resulted in adverse headlines.

Both BEAST and Duqu are pretty nasty malware, I’d guess seen as though they’ve already fixed the BEAST problem – they just need to work on compatibility issues – that we’ll definitely be seeing the patch rolled out in the January Patch Tuesday.

It’s good to see a bunch of important patches rolled out pre Christmas though as there’s always an influx of malware, scams, spams and phishing attempts around this period (trying to leverage on people’s good will I guess).

The BEAST attack affects web servers that support SSLv3/TLSv1 encryption. Although a patch will have to wait until January, at least, Microsoft has already published a workaround, which involves using the non affected RC4 cipher in SSL setups.

The Internet Storm Centre has produced a helpful graphical overview of the Black Tuesday updates from Microsoft here. It reckons that some of the flaws are more severe than Redmond’s rating. By the ISC’s count there are EIGHT critical updates. Either way you look at it, this is a lot of patching work even before we think about other security updates doing the rounds.

Google and Adobe are also joining in on the season of giving by releasing updates of their own. Adobe last week issued a critical updates for Adobe Reader and Acrobat. The latest version of Adobe PDF-reading software, Adobe Reader X, is not affected by this vulnerability thanks to the use of sand-boxing technology. So users have the option to either upgrade or apply a patch to the earlier version of the software.

In addition, Google published an update to its Chrome browser that addresses 15 security flaws, including six high-risk vulnerabilities, on Tuesday. More details of what’s fixed inside Chrome 16.0.912.63, the latest cross-platform version of the browser (yes Mac and Linux fans you ought to update too), can be found here.

There has been some other nasty bugs around too with a zero-day for Adobe Reader last week and Google just released a massive update of Chrome including 6 high risk vulnerabilities.

SANS ISC as always gives a great summary of the patches and classifies some of them more seriously than Microsoft does – you can check out the details here:

December 2011 Microsoft Black Tuesday Summary

Source: The Register

To help improve system configurations, iSEC is releasing the free software “SSLyze” tool. They have found this tool helpful for analyzing the configuration of SSL servers and for identifying misconfiguration such as the use of outdated protocol versions, weak hash algorithms in trust chains, insecure renegotiation, and session resumption settings.

SSLyze is a stand-alone python application that looks for classic SSL misconfiguration, while providing the advanced user with the opportunity to customize the application via a simple plugin interface.

Features

• Insecure renegotiation testing
• Scanning for weak strength ciphers
• Checking for SSLv2, SSLv3 and TLSv1 versions
• Server certificate information dump and basic validation
• Session resumption capabilities and actual resumption rate measurement
• Support for client certificate authentication
• Simultaneous scanning of multiple servers, versions and ciphers

For example, SSLyze can help user’s identify server configurations vulnerable to THC’s recently released SSL DOS attack by checking the server’s support for client-initiated renegotiations. For more information on testing for client-initiated renegotiations, you can read here.

You can download sslyze here:

sslyze-0.3_src.zip

Or read more here.

I can’t see any real corporate use for Twitter, so they won’t be pushing the security aspects of it in terms of the application. Perhaps it’s just an equity play and has nothing to do with Twitter, or perhaps they have another offering up their sleeves which isn’t public yet.

Twitter may be planning to boost its mobile security options with the acquisition of Whisper Systems, a company that offers security products for Android phones.

Whisper Systems’ offerings include WhisperCore, software that enables full disk encryption as well as management tools for Android phones. It’s free for individual users while enterprise customers pay for the software. Other Whisper Systems products include text encryption, voice encryption, firewall software and encrypted backup.

In a blog post about the acquisition, Whisper Systems didn’t say much about what Twitter might be planning to do with the technology. “Now that we’re joining Twitter, we’re looking forward to bringing our technology and our expertise into Twitter’s products and services,” the company wrote on the blog.

It said that Whisper Systems software will continue to be available but that during a transition period the company will take the products and services offline. In a forum on Whisper Systems’ website, people who are apparently unaware of the acquisition are already wondering why they can’t download products. Twitter did not reply to a request for comment about its plans for the technologies.

The only path I can see, obvious path that is, would be for Twitter to integrate the encryption technology offered by WhisperCore into the official Twitter apps – making them more secure in both storing data locally and in transmitting data over insecure networks.

I don’t see how it really offers any value though, it’s not like anyone is actually sending anything important out over Twitter – apart from the odd DM (Direct Message) I would imagine.

It’ll be interesting to see what direction they take though and if we can actually find out why this acquisition took place.

WhisperCore has a number of features designed to make up for security shortcomings in Android. For instance, WhisperCore users can selectively revoke permissions that an app requests while allowing the user to still use the app.

The software also includes a feature aimed at thwarting someone who has stolen a phone from determining the phone’s unlock code based on finger smudges on the screen. Some Android phones display rows of dots and a user unlocks the phone by dragging a finger over certain dots in a set pattern. An attacker might be able to recreate the pattern by examining finger smudges on the screen. WhisperCore displays unlock numbers in a column, so an attacker doesn’t know in which order the user hits the numbers to unlock the phone.

Earlier this year Whisper Systems released a software development kit so that developers could start building some WhisperCore features into their applications.

Few other companies are doing full disk encryption for Android, although there are many other companies taking other approaches to securing Android phones. Companies like 3LM and Good Technology offer mobile security services for enterprises. In addition, mobile device management products from companies including Sybase, BoxTone, Zenprise, Mobile Iron and Fiberlink let IT managers set basic policies like password requirement and remote wipe, and offer additional security capabilities.

The other whacky idea could be to make Twitter into a dual-functioning security product – I don’t really see how that would work though. Social Networking + Device security = confused users.

If anyone has any bright ideas as to why you think this deal took place, do drop them in the comments section below.

Source: Network World

Or perhaps some of you already use something totally web-based like Hushmail, the story is that researchers in Germany have managed to develop a JavaScript implementation of OpenPGP that allows you to both encrypt and decrypt messages purely in the webmail interface with Google Chrome and Gmail.

Pretty neat eh?

Researchers from German security firm Recurity Labs have released a JavaScript implementation of the OpenPGP specification that allows users to encrypt and decrypt webmail messages.

Called GPG4Browsers, the tool functions as an extension for Google Chrome and now is capable of working with Gmail.

According to its developers, GPG4Browsers is a prototype, but it supports almost all asymmetric and symmetric ciphers and hash functions specified in the OpenPGP standard.

The OpenPGP specification uses public key cryptography to encrypt and digitally sign messages and other data. It is based on the original PGP (Pretty Good Privacy) program and is most commonly used for securing email communications.

Setting up a PGP variant to work with a particular email client on a local computer can prove troublesome for less technical users, not to mention that it’s not portable. A PGP user who wants to send and receive encrypted emails from a different computer, would have to install it on that system first, import his private and public keys into the local database, known as the keyring, and then configure his email client.

The benefits of a JavaScript-based implementation that runs inside the browser is that it doesn’t require a dedicated email client or other software installed on the computer.

I have to admit, setting up key based e-mail cryptography to work seamlessly…is not for the faint of heart. Even for the more technical user, it can be quite a pain in the arse.

That’s a pretty high entry barrier for the average Joe and stops pretty much everyone else from encrypting their emails. Something more seamless (and totally portable) like this JavaScript implementation could open up key-based e-mail encryption for the masses.

At the moment, GPG4Browsers only works in Google Chrome and is not available for download from the Chrome Web Store. However, if the name is any indication, the extension will be ported to other browsers in the future.

Users interested in giving it a try must download it manually and install it as an unpacked extension. This can be done from the Tools > Extension page by checking the “Developer mode” box and clicking on “Load unpacked extension.”

The current release is limited by the fact that it cannot generate private keys, although the menu for doing this is present, so the feature will most likely be implemented in the future.

Importing public and private keys works fine and when browsing on Gmail a black lock icon is displayed in the address bar. Clicking on it will open a dialog for composing an encrypted or a digitally signed message.

Similarly, when an encrypted message arrives in the Gmail inbox, the browser asks users if they want to open it with GPG4Browsers. The extension can decrypt messages signed with GnuPG (GNU Privacy Guard), a popular open source PGP implementation, but only if data compression isn’t used.

The GPG4Browsers source code is available under a GNU Lesser Public License so the tool can be easily improved to support additional webmail providers. The developers also provide documentation which explains the available APIs.

An OpenPGP JavaScript implementation offers convenience and portability, but also has some downfalls. “Since memory-wipe of private data and validation of a secure execution environment cannot be achieved in JavaScript this implementation should not be used in environments where the confidentiality and integrity of the transmitted data is important,” the developers warned.

Which means, in basic terms, don’t use this kind of implementation on any machines that might be infected with malware etc. Which in a way to me renders it useless, the only reason I’d be using a web-based OpenPGP implementation is because I’m using a public or unfamiliar machine and I STILL want to encrypt my e-mail.

If I’m using my own e-mail, I’ll be using a proper software based encryption tool anyway. So I guess it may offer slightly more protection that sending completely plain text e-mail, but it’s certainly not a totally secure e-mail encryption solution.

As JavaScript progresses and gets more powerful however, things may change and this may well become a viable alternative to software based e-mail encryption.

Source: Network World

As a hacker I know, the more information a system gives me straight off the bat – the easier it’s going to be for me to hack it. Well the latest news is that this tactic may not be so bad after all.

Security by obscurity may not be so bad after all, according to a provocative new research paper that questions long-held security maxims.

The Kerckhoffs’ Principle holds that withholding information on how a system works is no security defence. A second accepted principle is that a defender has to defend against all possible attack vectors, whereas the attacker only needs to find one overlooked flaw to be successful, the so-called fortification principle.

However a new research paper from Prof Dusko Pavlovic of Royal Holloway, University of London, applies game theory to the conflict between hackers and security defenders in suggesting system security can be improved by making it difficult for attackers to figure out how their mark works. For example, adding a layer of obfuscation to a software application can make it harder to reverse engineer.

I agree with this, I wouldn’t exactly say this is ground-breaking though – I’ve always believed this. It’s not that I’d use obscurity as a singular defence, but I don’t see how it makes a system any less secure – the fact is from my perspective it definitely makes it harder to attack.

I mean the way in which Pavlovic is looking at it is rather more complex (in terms of a game), but it’s the same idea – if the attacker has less information, he’s going to have a harder time. Surely this all goes way back to Sun Tzu art of war..

Pavlovic compares security to a game in which each side has incomplete information. Far from being powerless against attacks, a defender ought to be able to gain an advantage (or at least level the playing field) by examining an attacker’s behaviour and algorithms while disguising defensive moves. At the same time defenders can benefit by giving away as few clues about their defensive posture as possible, an approach that the security by obscurity principle might suggest is futile.

Public key encryption works on the basis that making the algorithm used to derive a code secret is useless and codes, to be secure, need to be complex enough so that they can’t be unpicked using a brute force attack. As computer power increases we therefore need to increase the length of an encryption key in order outstrip the computational power an attacker might have at his disposal. This still hold true for cryptography, as Pavlovic acknowledges, but may not be case in other scenarios.

Pavlovic argues that an attacker’s logic or programming capabilities, as well as the computing resources at their disposal, might also be limited, suggesting that potential shortcomings in this area can be turned to the advantage of system defenders.

Of course obscurity should never be used in cryptography, that would just be idiotic – but when it comes to defending networks, servers and systems – I’m fine with it as an additional precaution.

I think this might spawn some interesting discussion either way, what do you guys think?

You can read the paper here: Gaming security by obscurity [PDF]

Source: The Register

Also since we reported on the Chrome bug bounty program back in February 2010 – Google Willing To Pay Bounty For Chrome Browser Bugs – it seems to have been a great success.

They’ve paid out a fair amount of money and patched 32 vulnerabilities in the latest version of Chrome (v14) – do note though, none of the vulnerabilities were of a critical level.

Google today patched 32 vulnerabilities in Chrome, paying more than $14,000 in bug bounties as it also upgraded the stable edition of the browser to version 14.

The company called out a pair of developer-oriented additions to Chrome 14 and noted new support for Mac OS X 10.7, aka Lion, including full-screen mode and vanishing scrollbars.

Google last upgraded Chrome’s stable build in early August. Google produces an update about every six weeks, a practice that rival Mozilla also adopted with the debut of Firefox 5 last June.

Fifteen of the 32 vulnerabilities were rated “high,” the second-most-serious ranking in Google’s four-step scoring system, while 10 were pegged “medium” and the remaining seven were marked “low.”

None of the flaws were ranked “critical,” the category usually reserved for bugs that may allow an attacker to escape Chrome’s anti-exploit sandbox. Google has patched several critical bugs this year, the last time in April.

Six of the vulnerabilities rated high were identified as “use-after-free” bugs, a type of memory management flaw that can be exploited to inject attack code, while seven of the bugs ranked medium were “out-of-bounds” flaws, including a pair linked to foreign language character sets used in Cambodia and Tibet.

I think the whole bug bounty model is great, I mean look at it this way – Google has paid out $14,000 in bug bounties for these vulnerabilities. That’s a small fraction of what it would cost to get a ‘professional’ company to do as a VA or code-audit on the software.

Plus for the researchers, they get to practise their skills and make a little pocket money on the side. I don’t expect anyone to hand over any critical 0-day type exploits for the amount Google is offering, but still – it makes the browser more secure.

And at the end of the day, more secure browsers make for less virus laden family members and colleagues (and less of that annoying work which we can’t escape for us).

Google paid $14,337 in bounties to nine researchers, including $3,500 to “miaubiz” and $2,337 to Sergey Glazunov, another regular bug finder.

The company’s security team also credited others, including researchers who work for Microsoft and Apple, for “working with us in the development cycle and preventing bugs from ever reaching the stable channel.” Some of those researchers were also awarded bounties, but Google did not spell out the amounts of those awards.

As per its practice, Google barred access to the Chrome bug-tracking database for the 32 vulnerabilities to prevent outsiders from obtaining details on the flaws. The company only opens the database after users have had time to update the browser.

Google also added a pair of developer-only features to Chrome 14, including support for the Web Audio API (application programming interface) and for “native client,” an open-source technology that runs software written in C and C++ within Chrome’s security sandbox.

The Mac version of Chrome 14 also supports Lion’s new approach to scrollbars, which appear only when a user is actively scrolling through the browser window. Chrome 14 also now runs in Lion’s full-screen mode, triggered via the icon in the upper right of the browser or by pressing Ctrl-Command-F.

But Chrome’s full-screen support isn’t polished or finished; the browser won’t return to its windowed view with a press of the Escape key, as do Apple’s home-grown applications in Lion.

Seems like Google had some help from Apple and Microsoft too – good to see the big boys working together.

I’ve given up on Firefox, I tried using Chrome for a while but didn’t really get on with it (seemed like a massive memory hog). I’ve recently switched to Palemoon (a Windows optimised version of Firefox) and it’s great so far.

Source: Network World

The author notified me of a new version that was recently released with quite a few additions. For those not familiar with it, Agnitio is a tool to help developers and security professionals conduct manual security code reviews in a consistent and repeatable way. Agnitio aims to replace the adhoc nature of manual security code review documentation, create an audit trail and reporting.

Changes in V2.0

The major changes in v2.0 is the addition of a code analysis module which comes with Android and iOS rules, an editor for the checklist questions and the ability to create/edit/remove code analysis rules.

• Fixed verify report button bug. It used to make the app crash if the report path field was empty because it didn’t check if it was empty before trying to use the field value.
• Delete profile functionality added on the “view profiles” tab. Some users requested this functionality.
• Removed hard coded filesystem paths and database names/locations from the code and make them configuration items.
• Data editor for both principles and checklist guidance sections. This allows users to customise the guidance using their own languages, guidance text etc.
• Increase the max size value of the text boxes on the principles guidance tab to allow more information to be entered by users.
• More accurate error on the profile creation tab – specify exactly what fields have been missed rather than listing all.
• Added “About” form with info, license, credits etc
• Regular expressions expanded to include a wider range of characters including non English characters.
• Turn the “other” language box red if the user clicks save with the other check box ticked but not language entered on the create and view profile tabs.
• Metrics tab now “returns” if only one app is available rather than trying to load all graphs and throwing a separate error for each one.

The author is always interested in feedback and has integrated a lot of it into v2.0 of Agnitio, if you want to give some suggestions/bug reports or whatever after using the tool you can do so via the Security Ninja blog here, or on Twitter @securityninja.

You can download Agnitio v2.0 here:

Agnitio v2.zip

Or read more here.

• Detect Malware present on your website
• Audit your web site for security issues
• Avoid getting blacklisted by Google
• Keep your web site content & data safe
• Get alerted to suspicious hacker activity

It has an easy to user interface, it picks up all kinds of issues such as malware, reverse shells like c99, obvious stuff like outdated Plugins and WordPress core, weak passwords, bad configurations (including .htaccess config) and much more.

Each alert is well explained and will help you to solve any issues the system finds on your blog/site.

The great value with this for me is once you are subscribed, you will be automatically alerted of new issues by email as and when they occur. This will help you keep your website secure and will let you know immediately if any issues develop.

They’ve even released two WordPress plugins which you can find here:

WP Security Scan & Secure WordPress

You can check out the website here and sign up for a free account to test it out:

http://www.websitedefender.com/

They are on Twitter too @WebsiteDefender & Facebook.

iViZ is the industry’s first company to position themselves as an on-demand penetration testing service for web applications. This is very different from the normal low cost vulnerability assessment services like Qualys, Hackersafe, Hackerguardian etc.  Unlike conventional solutions, iViZ delivers consultant-grade quality with an on-demand experience. iViZ provides a hybrid solution that integrates automation with manual testing by security experts. This results in a cost-effective SaaS model to achieve a very low rate of false positives, manual expert validation, and business logic testing.  The key advantages are high quality, on-demand manageability, high scalability and unmatched service to price value.

iViZ Security is funded by IDG Ventures which also funded companies like Netscape, Baidu, MySpace and F5 amongst several others. iViZ currently has 200+ customers across several verticals including Finance, Telecom, Online Media and E-commerce.

Why did we evaluate iViZ On Demand Penetration Testing?

Although there are tons of penetration testing providers and solutions in the market today, iViZ visualized the gap in making penetration testing more proactive and repetitive in a cost effective manner. It has thus adopted the SaaS route which can be a potential disruptor to make penetration testing more affordable without the hassles of tools and costly consultants. Organizations worldwide are evolving at a rapid pace and thus they require a solution which helps them attain speed to market and profitability.

Also today’s market place is primarily focused on cost differentiation. This has led to automation and sub optimal quality with plenty of “me too” service providers. While automated scanning provides benefits like lowered cost and faster time to scan, application penetration testing requires manual intervention to remove false positives and more importantly conduct business logic testing. iViZ seems to have understood early on that pure automation will never be able to indentify complex business logic vulnerabilities in the context of today’s evolving application specially in online and telecom market.

Review Parameters

We evaluated iViZ primarily on 4 key parameters:

1. User Experience
2. Quality of Findings
3. Methodology
4. Packaging and Pricing

A. User Experience

We had been provided access to https://edge.ivizsecurity.com/ . The portal enables two views: partner and customer. The partner view essentially helps you manage your customer’s pen test. The customer can also login with his credentials and submit a new scan or download a complete report.

The dashboard nicely summarizes the essential info on completed scans and upcoming scans. “Scan in Verification” are the ones which have already passed automated testing and being manually verified for false positives and business logic testing. This hybrid testing is carried out by combining automation of testing with work flow automation and leveraging process engineering on top of it.

The customer dashboard is also clear and concise representing only the vital information without too much clutter of graphs and diagrams.

The interface to submit or schedule new scans has got plenty of options to specify advanced parameters that enhance the quality and performance of testing. Apart from date, time and target you can specify application details like user credentials, path to exclude, depth limit and link limit.

B. Quality of Findings

The key factor which differentiates this SaaS offering for other VA services is the quality of findings. The report section nicely summarizes vulnerability info and critical threats that needs to be fixed urgently. The reports can be viewed online or downloaded in a pdf format. The key thing which has impressed us is every high and critical vulnerability is accompanied by a “Proof of Exploit” – a screenshot depicting the impact of the vulnerability. This goes a long way in making the report meaningful and immense help for the application developers to quickly fix the vulnerability. This also gives the true essence of penetration testing.

Having a proof of exploit with high and critical vulnerability also ensures that these have been manually verified and thus the report is almost “Zero False Positive”. A huge time saver!

C. Scan Methodology

iViZ Penetration Testing Cloud service jumpstarts the scan process without employing consultants or buying expensive tools. Assessments are conducted in the cloud as needed and when requested by the customer. iViZ follows a hybrid approach for its scan methodology:

1. T0 Testing: Automated Testing using multiple in-house and commercial scanners
2. T1 Testing: False positives are removed with extensive manual investigation.
3. T2 Testing:  Business logic verification is carried out with further manual testing using complex attack paths.

The hybrid testing is carried out by combining automation of testing with work flow automation and leveraging process engineering on top of it. In terms of coverage, the service covers OWASP Top 10 and WASC 26 threat classes in premium app testing.

D. Packaging and Pricing

iViZ offers two penetration testing service packages depending on customer business environment – Standard and Premium. Standard Tests are suitable for non critical applications and thus has lesser coverage. Premium is suited for critical applications and thus it provides a deep diagnosis with zero false positive and proof of exploit.  The pricing packages are all subscription based with frequency ranging from half yearly, quarterly, yearly and unlimited.

Conclusion

Overall the service looks pretty impressive. It provides a seamless way to do penetration testing on demand without incurring high cost of tools and consultants. Basically, like the sales force of penetration testing. For partners it provides an easy way to deliver penetration testing much more profitably or even set up a security testing business with zero Capex. However, the primary challenge that iViZ faces is sticking to the quality as the volume scales to thousands of scans.

It’s an interesting service and we shall be keeping an eye on it.