McAfee's Foundstone Professional Services to Launch Free Web Service Tools
Teaching Developers How to Create More Secure Software
Jun. 15, 2006 11:00 AM
announced that Foundstone Professional Services will launch a series of
free tools that teach developers, programmers, architects and security
professionals how to create more secure software. The tools will also
review the root causes of increasingly prolific crimes such as
e-shoplifting, session hi-jacking and identity theft.
"In the evolving security risk landscape, hackers and malicious
insiders are an undeniable threat to organizations," said Kevin Weiss,
president, McAfee, Inc. "As a division of McAfee, Foundstone
Professional Services is an integral part of the company's commitment
to moving the security industry forward by providing instructional
courses and unique tools that enable consultants to better understand
the mindset of malicious hackers."
Vulnerabilities such as
cross-site scripting and hidden field manipulation are frequent within
Web applications, resulting in a surprising number of corporate and
commercials sites being exposed to hackers and often suffering from
information highway robbery. Foundstone tools replicate
interconnected real-world application scenarios including travel,
banking and shipping, each written in a different programming language,
to demonstrate the potential cross-platform risks to a business' own
applications, and those they are connected to.
"In the race to
take storefronts online, most Web applications were developed with a
focus on functionality, not security. As a result, organizations may be
experiencing theft of goods, services or data without even realizing
it," said Mark Curphey, vice president, Foundstone Professional
Services, a division of McAfee, Inc. "These tools provide developers
with a unique opportunity to practice hands-on hacks and expose
vulnerabilities safely within real-world scenarios to gain a better
understanding of the potential issues. Forewarned is forearmed, and
developers can incorporate this knowledge into the building or fixing
of more robust and secure applications."
According to Gartner,
through 2008, application security will become an important evaluation
criterion, weighted as high as system functionality. Organizations that
integrate security into their software development life cycles will
experience an 80 percent decrease in critical vulnerabilities found in
their publicly released software or externally facing Web
The following educational tools will be released over the coming month, each accompanied by a learning whitepaper:
* Hacme Bank: Simulates a real world Web services enabled online
banking application, built with known and common vulnerabilities.
Hacme Shipping: Web based shipping application written in ColdFusion
MX7, using the Model-Glue framework and MySQL database.
Travel: Simulates a travel reservation system, allowing users to
attempt common exploits against a client-server type of application
written in C++.
* Hacme Books: Built on the popular Java 2
Enterprise Edition (J2EE) technology, it includes security
vulnerabilities in both the application design and implementation.
* Hacme Flowers: Replication of an online flower store, written in PHP.
is also releasing a number of resource tools, aimed at providing more
efficient and relevant practices for application developers and
* HacPac: Aggregates security testing tools and
information, software updates and news. A "one-stop shop" brought right
to the desktop for security consultants.
* CodeScope: Is designed
to help application developers and code reviewers determine the
complexity and scope of a code base and validate adherence to best
* SiteScout: Produces site map and site statistics
based on user navigation, automating the process of how information
flows through the application and provides threat modeling.
CredDigger: An assessment tool that notes user credentials and tries to
determine each and every host and Microsoft domain for which they are