Beyond Security Launches Security Analysis Solution That Changes the Face of Vulnerability Assessment; beSTORM Tests Billions of Attack Combinations to Save Millions in Unrecoverable Costs.IRVINE, Calif. -- Beyond Security, a leading provider of security assessment technologies, today announced the launch of its new security analysis solution, beSTORM. The cumulative result of three years of research and development, beSTORM changes the way security assessment is conducted by uncovering unknown vulnerabilities in network-enabled software applications during the development cycle. By automatically testing billions of attack combinations, beSTORM ensures the security of products before they are deployed, saving companies millions in costs associated with fixing security holes after products are shipped. As corporate professionals are driven by compliancy com·pli·an·cy n. Compliance. Noun 1. compliancy - a disposition or tendency to yield to the will of others complaisance, obligingness, compliance, deference regulations for financial records and overall data security, there is a growing requirement for many companies to ensure that third-party software applications meet stringent security certifications. "Software applications that are not fully tested prior to deployment make companies more vulnerable and leave customers feeling insecure," said Aviram Jenik, Beyond Security CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. . "Security certifications are becoming a requirement of vendors by many companies. This is because too many products have been deployed that are vulnerable to attacks and too much money has been spent on fixing the problem after the fact." beSTORM arms developers, quality assurance teams and security professionals with a tool that helps them to test for security holes while they are still in the development phase. The new product enables development teams to schedule security testing Security Testing: (The) Process to determine that an IS (Information System) protects data and maintains functionality as intended. The six basic security concepts that need to be covered by security testing are: confidentiality, integrity, authentication, authorisation, into the product release process, giving them time to fix their code before product is shipped. Unlike the current generation of assessment tools, beSTORM does not look for specifically defined attack signatures or attempt to locate known vulnerabilities in products and it does not require the source code (like source-code audit tools). Rather, beSTORM focuses on network-enabled applications and models the protocols used to communicate with them. beSTORM exercises the protocol with a specific emphasis on technically legal but functionally erroneous cases. Simply put, beSTORM performs exhaustive protocol analysis in order to uncover new and unknown vulnerabilities in network products. As an example, beSTORM automatically tries every protocol combination possible until a buffer overflow A common cause of malfunctioning software. If the amount of data written into a buffer exceeds the size of the buffer, the additional data will be written into adjacent areas, which could be buffers, constants, flags or variables. is triggered. This level of intensive security penetration testing is not available in any other product on the market. "Most security holes found today can be discovered automatically," added Jenik. "By using an automated attack tool that tries virtually every attack combination and has the ability to detect certain application anomalies and indicate a successful attack, security holes can be found with almost no user intervention." To date, computer hackers have targeted operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. but this has changed and now software applications are the focal point focal point n. See focus. for their antics. Many software vendors are making an honest effort to fix the growing problem of security issues but are ineffective because of the existing tools at their disposal. Some vendors hire consultants to perform manual security audits that are often expensive and can only be done periodically. This solution is often chosen by default, because vendors are unaware of other alternatives. "Many vendors conduct manual audits of their products. We call this 'throwing money at the problem' and it includes hiring third-party consulting firms to audit products to identify as many security holes as possible," added Jenik. Other alternatives include source-code analysis tools which attempt to find holes during development similar to beSTORM. The main drawbacks to these solutions are scalability, false-positives and access to source code is required. "Fuzzing See fuzz testing. tools are probably the closest in comparison to beSTORM. Fuzzing tools take an existing network protocol and 'fuzz' it, which means it sends malformed mal·formed adj. Abnormally or faultily formed. requests and analyzes the results," said Jenik. "Fuzzers are usually limited in bandwidth trying hundreds or millions of different attack combinations where beSTORM can try billions." beSTORM's main features include: --Broad Range - Most of the common Internet protocols Refers to all the standards that keep the Internet running. The foundation protocol is TCP/IP, which provides the basic communications mechanism as well as ways to copy files (FTP) and send e-mail (SMTP). can be testing including SIP (used in VoIP products) --Attack Prioritization - Special attack prioritizing algorithms allow beSTORM to start with the attacks most likely to succeed, depending on the specific protocol that is tested --Report Accuracy - beSTORM checks the application externally by actually triggering the attacks and a vulnerability is reported only if an attack was successful --Scalability - Multiple processors (or machines) can be used to parallelize Par´al`lel`ize v. t. 1. To render parallel. Verb 1. parallelize - place parallel to one another lay, place, put, set, position, pose - put into a certain place or abstract location; "Put your things here"; "Set the audit and reduce testing time --Extensibility and Flexibility - Testing the protocol rather than the product, beSTORM can be used to test extremely complicated products with a large code base. Protocol analysis can be extended to support proprietary protocol --Language Independent - beSTORM supports all programming languages Beyond Security has built its reputation on its network security solutions that facilitate pre-emptive pre·emp·tive or pre-emp·tive adj. 1. Of, relating to, or characteristic of preemption. 2. Having or granted by the right of preemption. 3. a. , real-time and continuous network, server, database and application security. Their flagship product A primary product of a company, which is typically why the company was founded and/or what made it well known. For example, MS-DOS, Windows and the Microsoft Office suite have been flagship products of Microsoft. CorelDRAW is a flagship product of Corel Corporation. , Automated Scanning, conducts automatic penetration testing on a daily basis and has been adopted by a variety of global-based companies that include systems integrators. Beyond Security is also the founder and operator of www.securiteam.com, the largest independent security portal. beSTORM is generally available immediately and employs a client/server architecture An environment in which the application processing is divided between client workstations and servers. It implies the use of desktop computers interacting with servers in a network in contrast to processing everything in a large centralized mainframe. See client/server. and runs on Windows, UNIX UNIX Operating system for digital computers, developed by Ken Thompson of Bell Laboratories in 1969. It was initially designed for a single user (the name was a pun on the earlier operating system Multics). and Linux. About Beyond Security Beyond Security, a privately held company privately held company A firm whose shares are held within a relatively small circle of owners and are not traded publicly. , develops leading vulnerability assessment A Department of Defense, command, or unit-level evaluation (assessment) to determine the vulnerability of a terrorist attack against an installation, unit, exercise, port, ship, residence, facility, or other site. and self-management solutions that facilitate pre-emptive, real-time and continuous network, server, database and application security. The company was founded in 1999 by the founders of SecuriTeam portal (www.securiteam.com), a leading source for vulnerability alerts and solutions serving 1.5 million monthly page views to IT security professionals. Beyond Security's founders are great believers in automation, which is why the company sells tools instead of using them to provide services. Beyond Security's goal is to decrease the number of security holes in products to manageable levels and empower software vendors to release secure products. For more information, visit www.beyondsecurity.com. |
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion