Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

6/22/2007
04:48 AM
50%
50%

Rethinking Security Technology

Emerging products find new approaches to some old security problems

12:48 PM -- Call it security: the next generation.

Over the past week, security vendors and startups have been launching a wide swath of products and technologies. Normally, this means we're getting rev 6 of Release 3.5.2. But this week, we've seen some genuine innovation -- and perhaps more importantly, some new approaches to solving some very old problems.

Just when you thought firewalls had dead-ended, for example, startup Palo Alto Networks launched a new firewall, the PA-4000, which can identify -- and restrict -- more than 400 types of application traffic. Instead of just two settings for Port 80 ("off" or "on") this firewall enables enterprises to allow, block, or truncate the use of all sorts of applications, including those running over SSL. If it works as promised, the PA-4000 could breathe new life into the firewall market. (See Startup Puts New Spin on Firewalls.)

Another startup, Sentrigo, launched a new product that could change the way enterprises attack the database security problem. Instead of relying on appliances that restrict network flow to and from the database -- or supplementary applications that suck up database server cycles -- Sentrigo's Hedgehog takes a software-only monitoring approach, attaching sensors to the database's cache memory. This method of securing the database could help keep insiders from tampering with the database and reduce server overhead. (See A New Approach to Database Security.)

How about a new take on virtual private networks? Recently, the old VPN has begun to look tired, because of its inability to adapt to mobile devices and its assumption that most of its users would be fixed-location employees. Yet Stonesoft is introducing a new SSL VPN product that works with a wide variety of mobile devices and lets companies give limited access to customers and trading partners. (See Stonesoft Seeks to Open Up VPNs.)

This rethinking of old problems isn't limited to the vendor community. Next week, analyst firm Enterprise Strategy Group is releasing data from a new survey that takes a hard look at how companies secure their intellectual property. Its conclusion: It's time to scrap the manual processes that dominate the IP discovery and classification process, and put in some real automation. (See Securing the 'Company Jewels'.)

Enterprises, meanwhile, are rethinking their approaches to one of the world's oldest problems: physical theft. After being burned several times in the last week, companies are beginning to recognize that one of the most common causes of "data loss" doesn't come from hackers, but from the theft of portable storage media. (See Stop, Thief!)

In an industry where end users often seem to be banging their heads against the same old brick walls (See People, Not Passwords, Are the Problem), it's refreshing to see that some companies are stepping back and thinking about new roads, rather than just repaving the cow paths. Here's hoping the trend continues.

— Tim Wilson, Site Editor, Dark Reading

  • Enterprise Strategy Group (ESG)
  • Palo Alto Networks Inc.
  • Sentrigo Inc.
  • Stonesoft Corp.

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Navigating Security in the Cloud
    Diya Jolly, Chief Product Officer, Okta,  12/4/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: "The security team seem to be taking SiegeWare seriously" 
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-16770
    PUBLISHED: 2019-12-05
    A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.
    CVE-2019-19609
    PUBLISHED: 2019-12-05
    The Strapi framework before 3.0.0-beta.17.8 is vulnerable to Remote Code Execution in the Install and Uninstall Plugin components of the Admin panel, because it does not sanitize the plugin name, and attackers can inject arbitrary shell commands to be executed by the execa function.
    CVE-2019-16768
    PUBLISHED: 2019-12-05
    Exception messages from internal exceptions (like database exception) are wrapped by \Symfony\Component\Security\Core\Exception\AuthenticationServiceException and propagated through the system to UI. Therefore, some internal system information may leak and be visible to the customer. A validation m...
    CVE-2012-1105
    PUBLISHED: 2019-12-05
    An Information Disclosure vulnerability exists in the Jasig Project php-pear-CAS 1.2.2 package in the /tmp directory. The Central Authentication Service client library archives the debug logging file in an insecure manner.
    CVE-2019-16769
    PUBLISHED: 2019-12-05
    Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.toString() backslash...