Tenable Network Security Podcast Episode 187 - "Exposing Web Application Vulnerabilities"

Announcements

• We're hiring! - Visit the Tenable website for more information about open positions.
• Check out our video channel on YouTube which contains new Nessus, PVS, and SecurityCenter tutorials.
• Tenable Tweets - You can find us on Twitter at http://twitter.com/tenablesecurity where we make product and company announcements, provide Nessus plugin statistics, and more!
• Want to ask questions about Nessus, PVS, SecurityCenter, and LCE and get answers from the experts at Tenable? Join the Tenable Discussions Forum for custom scripts, announcements, and more!
• You can subscribe to the Tenable Network Security Podcast on iTunes!

Discussion & Highlighted Plugins

• Digging For Gold: Finding Vulnerable Web Applications - The Passive Vulnerability Scanner has many strengths, one of which is its ability to pick out vulnerable web applications in your environment. Over the years working for several different organizations, this has been a re-occurring problem. Specifically, when you work for an organization large enough to have folks deploying their own applications (and it doesn't have to be that large of an organization to have this problem). Web applications help solve a problem, whether it be a blog for corporate communications or a photo gallery for a student group. It's too easy to choose the wrong application, or install an application today that introduces a serious vulnerability down the road. While you can scan using traditional network-based scanning, asking your administrators to keep tabs on installed applications or manually audit your web servers, you will undoubtedly miss something. For systems administrators, this can be a tough task because a web application can be represented by a collection of downloaded files, not part of the operating system package management system. By listening to the network traffic, applications and their vulnerabilities can be easily spotted.
• Top Problems: Patches, Virtualization/Cloud, and Mobile/BYOD - Jack Daniel and I presented 3 webcasts in a 4-part series called "Vulnerabilities Exposed". We highlighted several problem areas for organizations. First, we covered the patch problem – how organizations still struggle to keep things patched and how you can reduce your patch cycle. Then, we took on virtualization and cloud. These two technologies are in large part responsible for changing the face of IT as we know it, and altering your security strategies forever. We now have a much greater attack surface and more applications outside of our control than ever before. Recently, we took a look at the mobile and BYOD problem. Not just limited to smartphones and tablets, today's workforce has more technology available to them than ever before. Using Tenable products we outlined techniques to stay ahead of this problem. Finally, on November 12th, Jack, Renaud Deraison, and I will talk about how to take all of the information our products collected on these vulnerabilities and threats and distill them down for management.

Nessus

Passive Vulnerability Scanner

SecurityCenter Apps

Security News Stories

1. Tenable Network Security Expands EMEA Team
2. SAI Global Deploys Tenable Network Security to Combat Security Vulnerabilities and Compliance
3. Doctors disabled wireless in Dick Cheney's pacemaker to thwart hacking
4. Ten Physical Security Tips for Mobile Devices | Cyveillance Blog - The Cyber Intelligence Blog
5. Capturing The Flag, SQLi-Style | Dark Reading
6. Researchers uncover holes that open power stations to hacking | Ars Technica
7. From China, With Love | /dev/ttyS0