I know many people and small businesses that have their own web servers or have made their own sites and want to know if they are vulnerable to the multitude of attacks that they read about in the news every day. The short answer is yes you probably are. Application level attacks are growing 3 times faster than all other attacks. This is due to the fact that every website is customized to that particular person or company. Customization means inconsistency. Attackers are always looking for those small cracks in the system that they can wedge into and split wide open to get at the soft center that is your juicy data.
The good news is if you don’t have anything worth stealing then you probably don’t have to worry about being attacked. For anyone that has credit card, social security, financial, tax, donor lists, salary, (getting to be quite a list), medical, real estate, etc, information then you do need to worry about finding the cracks in the system. Before you have a sleepless week worrying about it there are ways to combat this.
The not free fix
If you have the means a full blown penetration test done by a security company is recommended. There are two basic kinds of testing: Whitebox and Blackbox. Whitebox testing is done by giving the tester access to whatever data they need to do the test. This could include, source code, network diagrams, server names, access to the system itself and full admin rights. Blackbox testing is as if the tester were an attacker. They are given the target and nothing else. The tester will do their own reconnaissance and look for vulnerabilities. The whitebox test is more thorough, has a greater chance of finding issues and is usually quicker than a blackbox test. Blackbox testing is more realistic as most attackers will not know the internal workings of an application.
If you have your application on with a hosting company or outsource the development you can have security as part of your service level agreement. The portion of the agreement pertaining to fixing security issues should have a higher priority over other fixes. Although I have never seen this actually happen, companies can always ask the hosting or development company to take financial responsibility for any compromises. Even if they only take on a portion of the loss this will let them know that you as a customer are concerned about it and give some motivation to produce good code. Code should not be signed off on until a penetration test is done. Attackers will be constantly using the same scanning tools recommended in this article to check if you have deployed new code and if there are any vulnerabilities within it.
If you are smart enough to code your own web pages then running security tools against them should not be an issue. Most of the tools listed below are either freeware – no cost. Or a stripped down version of a commercial tool – try before you buy. One thing about these tools is you may have a high false positive rate. A false positive is when the tool identifies an issue but it cannot be exploited the way the tool thinks it could be.
This is the main issue with code and application scanning tools. Penetration testing is part art and part science. Very few people have the knack to take a perfectly good working system and see how they can break it. I suspect many of the car junkies who like to take apart and customize their cars would make good pen testers.
Below are the tools. Each one has its own strengths and specialty focus on certain aspects of an application. Developers should install and play with them as they are working on code. This should be part of the project plan when plotting out the SDLC lifecycle of the application. “Baking in” security during development costs 90% less than shoehorning it on at the end.
N-stalker and Acunetix WVS are true pen test scanners and should be used for every deployment. The two from foundstone are good to run every few months to check if your application will overload when it hits 1million users and if google is holding anything good about your system. To check out IIS specifically there are a multitude of tools from MSFT itself and the resource kit is also a good place to start.
Development & QA Phase - Controls and mitigate vulnerabilities introduced during development phases. Tests your application for common web vulnerabilities such as XSS and SQL injection, Buffer Overflow and Parameter Tampering.
Infrastructure & Deploy Phase - Scans your web server infrastructure using the most complete Web Attack Signature available in the market (“N-Stealth HTTP Vulnerabilities Database(tm)”). It is more than 35,000 signatures to guarantee a safe environment and secure deployment of your Web Application.
Audit & Pen-test Phase - Audits your production-level web applications and web server infrastructure by periodically combining the power of Component-oriented Web Application Security Assessment and the “N-Stealth HTTP Vulnerabilities Database(tm)”
Hackers are on the lookout for Cross Site Scripting (XSS) vulnerabilities in YOUR web applications: Shopping carts, forms, login pages, dynamic content are easy targets. Beat them to it and scan your web applications with Acunetix Web Vulnerability Scanner:
Acunetix WVS automatically checks your web applications for XSS, SQL Injection & other vulnerabilities.
Firewalls, SSL and locked-down servers are futile against web application hacking.
Acunetix checks your web applications for coding errors that result in Cross Site Scripting vulnerabilities.
Acunetix also checks for other vulnerabilities in popular web applications such as Joomla, PHPbb.
Acunetix identifies files with XSS vulnerabilities allowing you to fix them BEFORE the hacker finds them!
Two from Foundstone:
FS MAX - A scriptable, server stress testing tool. This tool takes a text file as input and runs a server through a series of tests based on the input. The purpose of this tool is to find buffer overflows of DOS points in a server.
SiteDigger 2.0 - Searches Google’s cache to look for vulnerabilities, errors, configuration issues, proprietary information, and interesting security nuggets on web sites.
The IIS 6.0 Resource Kit Tools can help you administer, secure, and manage IIS. Use them to query log files, deploy SSL certificates, employ custom site authentication, verify permissions, troubleshoot problems, migrate your server, run stress tests, and more.