CHICAGO (October 21, 2010) - Security experts from Trustwave, the leading provider of information security and compliance solutions, will deliver multiple briefings at Black Hat 2010 in Las Vegas, July 28 through 29. The presentations will be delivered by members of SpiderLabs, the advanced security team at Trustwave responsible for incident response and forensics, penetration testing and application security, and security research.
David Byrne and Charles Henderson will deliver GWT Security: Don't Get Distracted by Bright Shiny Objects, which will look at common vulnerabilities in Google's Web Toolkit (GWT). The GWT backs many of the slickest web-based applications being built today, which explains its gain in popularity. However, GWT supports not only a nice graphical user interface, but also allows for advanced features called remote procedure calls (RPC). While GWT-based applications can be very secure, like all frameworks it is often implemented very poorly. Insecure RPC calls are fairly common in the GWT application world as developers are not familiar with the technology or simply think of it as bullet proof.
This presentation will demonstrate how to exploit common vulnerabilities in GWT applications, particularly with RPC functionality. The non-human readable format of its browser-side the JavaScript makes penetration testing GWT applications very time consuming. To aid with testing, Byrne and Henderson will release REGWT, a tool to reverse engineer GWT applications. It will allow a penetration tester to map out GWT RPC methods and browser-side logic that would otherwise be hidden and easily test them for various vulnerabilities.
Nicholas Percoco and Jibran Ilyas will present Malware Freak Show 2010, which will expand upon their initial Malware Freak Show presentation delivered at DEFCON 17. This year's talk will explore four new pieces of malware that were obtained during more than 200 investigations conducted in 2009 by Trustwave's SpiderLabs. The presentation will include the anatomy of a successful malware attack, a profile on each sample and victim, and a live demonstration of each piece of malware discussed.
Steve Ocepek and Charles Henderson will deliver Need a Hug? I'm Secure, which will look at the ways manual penetration testing can help an organization protect their environment from 0-day attacks, as well as more common vulnerabilities like SQL injection and cross-site scripting (XSS). While organizations are concerned with new 0-days, they tend to forget that the older, less 'interesting' attacks can lead to exploits. Trustwave's Global Security Report demonstrates that most security breaches happen due to simple mis-configurations or older attacks like SQL injection.
This presentation will provide an overview of the effectiveness of penetration testing, whether focusing on the older, tried-and-true attacks or testing in response to 0-days, security alerts and reports of vulnerabilities in the wild. Penetration testing has the opportunity to contrast weak points in the infrastructure with other areas that have effective counter-measures in place. This presentation will help attendees motivate clients by giving them visibility into exactly what works and what doesn't, and generally how to be more helpful to the client.
In addition, Trustwave's booth, 31, will feature a preview of the PenTest Manager, the latest application in Trustwave's Managed Security Portal, which allows SpiderLabs clients to manage penetration test projects and findings, providing rich evidence detailing the vulnerabilities identified during a test. The PenTest Manager streamlines the remediation and vulnerability management process by providing a highly customizable reporting interface designed to allow organizations to quickly track, prioritize and resolve security vulnerabilities.
"With new 0-day attacks and exploits via existing channels, it's clear the need for information security will continue to increase," says Robert J. McCullen, chairman and CEO of Trustwave. "Real attackers don't care about the age of the vulnerability, if it works, they use it. For this reason, businesses need to always follow security best practices through the application development lifecycle to help ensure they've protected their organization and its consumers."
"Uncovering new, never-before-seen vulnerabilities to attack an environment is always exciting, but we must not lose sight of the existing vulnerabilities that have proven to be the more destructive of two evils," says Nicholas J. Percoco, senior vice president of SpiderLabs. "However, we hope that shedding new light on such vulnerabilities will help better secure an organization or the applications it's creating for the general community."
About Trustwave
Trustwave is a leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper® compliance management software and other proprietary security solutions including SIEM , WAF , EV SSL certificates and secure digital certificates . Trustwave has helped hundreds of thousands of organizations-ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers-manage compliance and secure their network infrastructures, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, Asia and Australia. For more information, visit https://www.trustwave.com/en-us/.
