Core Security Announces New, Free Web Application

August 3, 2007; 08:24 AM
Core Security Technologies, provider of CORE IMPACT, the most comprehensive product for performing enterprise security assurance testing, today unveiled CORE GRASP, a new open-source technology designed to safeguard web applications from attack. The technology, introduced today at Black Hat by researchers from CoreLabs, the research arm of Core Security, makes it possible for users to easily identify and block web attacks on-the-fly. While the technology can be applied to all web application development environments and a wide variety of web application attack types, the company has made available an open-source implementation of CORE GRASP to prevent SQL-injection attacks for applications written in PHP.

“Web applications are a weak link in the information security posture of many organizations because of the widespread number of exploits and incidents related to SQL injection, cross-site scripting and other web-related bugs. PHP applications are particularly worrisome due to the large and rapidly increasing number of known bugs, as well as the lack of security awareness during their development and deployment,” said Ivan Arce, CTO of Core Security. “We hope that by contributing our GRASP technology to the web security community we will help to improve upon the state of PHP application security.”

Although there are many web application security tools available, they to fail to effectively prevent exploitation of SQL-injection and other web-related vulnerabilities—a commonplace and highly dangerous threat vector. By exploiting injection vulnerabilities in web applications, attackers regularly steal or modify information stored in back-end databases to gain direct access to back-end networks. In addition, once vulnerabilities are found they are typically cumbersome to fix in a timely manner, since that process usually involves identifying and correcting the vulnerable source code and re-deploying the fixed (patched) application to production systems.

Today at Black Hat USA 2007 in Las Vegas, NV, Core Security Researchers Ezequiel D. Gutesman and Ariel Waissbein presented the results of a research project to address these issues and introduced CORE GRASP. The web protection technology is based on very granular run-time taint analysis of an application’s data. It does not require access or changes to the application’s source code to work effectively and can be deployed easily on existing web application environments with minimal configuration effort. During the presentation, the researchers described in detail a fully functional implementation of the protection technique for PHP and demonstrated how it prevents exploitation of SQL-injection vulnerabilities. Gutesman and Waissbein invited the audience to join in developing and contributing to the project.

Availability and Implementation

CORE GRASP, which was released under the Apache 2.0 license, is immediately available at: http://grasp.coresecurity.com.

For more information about GRASP or to schedule meetings with Core Security’s experts at Black Hat USA 2007, please contact Dave Bowker or Tiffany Archambault at 781-684-0770 or email [email protected].

About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. Research is conducted in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing and cryptography. Results from these efforts include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies.

CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs/.

About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company’s flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.