commerceserver.net Releases Commerce Server 10

commerceserver.net, an ISV based in Seattle and Ottawa, today announced the release of the latest version of its enterprise eCommerce software, Commerce Server 10. This marks the first independent release of the software previously sold and marketed as Microsoft Commerce Server.

Commerce Server 10 is the first release on the newly published roadmap for the product and lays the foundations for a rapid evolution of the product which will see it grow from a purely on-premise solution, to one which embraces the Cloud and hybrid scenarios over the next few years. It also adds support for the latest Microsoft server platforms Windows Server 2012, SQL Server 2012, Visual Studio 2012 and .NET Framework 4.5.

In addition to the new platform support, this release introduces a new site building framework with a set of open source starter sites for ASP.NET, ASP.NET MVC and of course, SharePoint – all released via CodePlex. This new framework vastly simplifies the building of the presentation tier of eCommerce solutions.

“We are incredibly excited by the release of Commerce Server 10. Not only is it the fastest time-to-market of any Commerce Server release in history, we feel it is by far the most customer-focused and best performing iteration in the product's history. It represents a significant next step on our plans to rapidly evolve Commerce Server into the commerce platform of choice for the .NET ecosystem,” said Ryan Donovan, President and CTO of commerceserver.net.

As part of this announcement, commerceserver.net is proud to introduce a roster of worldwide implementation partners, with more being added each month. “We’re excited that many existing Commerce Server partners are supporting this release but encouraged at the approach from many new partners and customers wanting to work with the platform – it validates both our roadmap and our thinking that there is a vibrant market for a .NET based eCommerce Solution,” said Wayne Smith, Vice President of Product Management.

Source: BusinessWire 

Free .NET Performance Monitoring Solution released by AppDynamics

AppDynamics announces AppDynamics Lite for .NET, its new application performance management (APM) solution for .NET applications. The software is free.

The application performance management (APM) market continues to heat up as AppDynamics, a provider of APM software, announced the release of AppDynamics Lite for .NET.

AppDynamics officials called the new offering a production-ready performance monitoring tool for Microsoft’s .NET framework. The company expanded the scope of AppDynamics Lite, which has been available for the Java platform with more than 70,000 users.

AppDynamics Lite for .NET is free. The .NET monitoring product enables IT staffs to quickly troubleshoot and diagnose performance problems in production. AppDynamics Lite installs in less than 90 seconds, identifies and monitors an application's business transactions, and gives insight into common application issues such as slow SQL, stalls, errors and slow response time, the company said. The software comes with code-level diagnostics as well as trending and alerting capabilities.

"The success of AppDynamics Lite so far clearly demonstrates that IT pros need a free monitoring solution for their production applications," says Jyoti Bansal, founder and CEO of AppDynamics, in a statement. "They need far more than simple system monitoring tools like Perfmon. AppDynamics Lite is exactly what app support teams require – a production monitoring tool solution that provides insight deep into the application layer."

"The fact that AppDynamics is offering this download for free is borderline crazy," said Nick Koning, technical architect at Best Practice, in a statement. "We've used it to monitor a single Microsoft IIS Web Server, and we've been blown away by how easy it is to use a business transaction approach to production monitoring and gain code-level diagnostics in seconds. None of us here have any doubt that this is a game-change for .NET developer and operations teams."

AppDynamics Lite is installed directly on an instance of IIS. The product enables IT staffs to drill down into slow requests as well as gain a high-level overview of how their application performs over time. Moreover, AppDynamics Lite for .NET provides a simple approach to monitoring ASP.NET and Windows Communication Foundation (WCF) applications, the company said.

AppDynamics' introduction of its new .NET solution comes only weeks after Compuware made a big splash with its Compuware APM Spring 2012 Platform Release, which introduced a new generation of APM for the company with innovations across its dynaTrace and Gomez product brands that help customers optimize the performance and value of their business-critical applications. This new release represents the next phase in Compuware's unified APM strategy. It is the first release of the new Compuware APM brand with Gomez and dynaTrace as major sub-brands within it.

Mass SQL Injections Spike Again

Security researchers have reported spikes in mass SQL injection attacks of late that take advantage of very common vulnerabilities in the way that Web applications interact with back-end databases. Particularly targeting ASP, ASP.Net, and MS-SQL sites, these mass SQL injection campaigns have been linked to black hat efforts to redirect victims to browser exploit kits like Blackhole or Phoenix.

"There's been a growing increase on the mass SQL injections side mainly because there is business to be had and money to be made in that area," says Gunter Ollmann, vice president of research for Damballa. "There are a growing number of professional hackers and crime groups that specialize in quick and rapid identification of websites that are vulnerable to SQL injection, and they monetize that by injecting malicious code normally as part of the pay-per-install or the iFrame injection-type business."

Unlike traditional SQL injections, which are generally manual attacks seeking to extract data from commerce sites, mass SQL injection attacks are automated, quick-and-dirty attacks that drop malicious code onto the website.

"Really what this is is a cross-site scripting attack," says Ryan Barnett, senior security researcher for Trustwave SpiderLabs, "just using SQL injection on the front end to inject in JavaScript code that results in sending regular users to a Web page that's dynamically created based on different database components, pulling in malicious JavaScript into the browser that redirects to a malware site."

The mass SQL injection model has been prevalent since 2008, with a considerable uptick last spring during the LizaMoon attacks. According to the recent Zscaler ThreatLabz Q1 State of the Web Report, researchers with ThreatLabz noted a spike in LizaMoon activity back in March.

"A year later, we are still seeing this campaign under way, with various peaks and valleys as the attack adapts over time. We noticed that activity picked back up again in March 2012," the report says.

According to Barnett, the attacks in recent months have a similar M.O., with a slight tweak in the SQL used to conduct the attack.

"They're not doing exactly the same kind of script that they did before," Barnett says. "They are picking different category names, which is often used for these databases, such as the category title, content title, and home page title. So they're targeting title HTML tags when you're dynamically creating those sites. It is kind of sneaky, but they're prepending a closing title HTML tag, so when it gets into the browser, it will cleanly close the title content that was already there and inject in behind to execute that JavaScript."

In April, researchers with F-Secure and Sucuri Security, among others, had brought attention to these attacks, which at that time redirected to the Nikjju.com domain. According to Barnett, malicious activity continues on the back of already injected code, but the domains end users are redirected to remain in flux.

"The infrastructure of what we're highlighting here is in place, the bad guys are using it -- the difference is that all those domains they're sending them to, those are transient and change almost daily," he says. "As we put in IP reputation, domain black listing, and all of those things, then people can't get to those sites, so they have to constantly keep moving. But the infrastructure of exploiting the website and injecting this code, they just keep reusing that until people upgrade their systems."

That brings us to the mitigation efforts for these attacks.

"One is, first and foremost, they have to stay on top of patching processes. That means knowing what applications you're running on your servers," Ollmann says. "And secondly, you need to ensure that your custom applications are designed in a way that even if there is a vulnerability in these back-end systems, that the content is still sanitized and is not projected to visitors of the website."