Website Security Auditing
I purchased a security scan and audit for my main website this past week. The scan was done by a company called Acunetix.
Basically, a security scan is scan done by another server that attempts to exploit known and malicious vulnerabilities in a website’s code and programming.
If you run an ecommerce website, I highly recommend getting a scan like this, even if you already do a PCI / CISP scan on any regular basis. This was a complete eye opener for me.
Why get a security scan?
Most server scanning programs look at a very broad range of ports and exploits across every available entry path to a server. A website security scan looks only at one spot, Port 80. Since all non-secure web traffic travels across port 80 on a web server, a firewall has very little ability to control anything on this port. Also, a general port or server scan rarely covers detailed exploits in a website’s code, which is where the website scan comes into play.
Getting a security scan is a great way to protect your website and database from being taken over, or destroyed. The security scan points out vulnerabilities in code and tells you exactly what you need to do to fix everything. After implementing the recommendations that accompany the security report, your website will be more secure and a safer place for visitors, and for you.
The Scan:
The security scan took place over a few hours, and was nothing short of an all-out attack on the server.
Caution: I highly recommend telling your host that you are going to have a company perform this scan. Additionally, I recommend scheduling it during off traffic hours in the event that the scan drops your server completely. Ours is a dedicated server with four, dual core processors, and the scan nearly brought everything down.
The scan itself attempted SQL injection attacks, XSS attacks, and tested hundreds of other known exploits.
The test itself quickly found a few poorly constructed form processing scripts. I realized that they were poorly constructed by the fact that I received over 4,000 emails in under 30 minutes.
The tests themselves are not means to break or takeover a server, but to test for exploits. If this had been a real attack on the server, they very well could have done some major damage, or gained control of something through those scripts.
In the end:
After about three hours, and 1175 alerts, I was emailed a 761 page report on everything that was messed up on the site. Most of the problems required only some simple code changes to fix the vulnerability. Others required some major code reworking, but in the end it only took a few hours to fix everything.
Errors are classified into four alert categories, High, Medium, Low, and Informational, based on what damage someone could do by taking advantage of one of the exploits.
High Alerts are major security holes, that need to be addressed quickly. These issues allow someone the ability to take over a website, database, or even gain root access to a server in some cases.
Medium Alerts are less severe and mainly deal with someone gaining access to sensitive information, browser hijacking, session fixations, and other less globally severe security issues.
Low Alerts include include issues like broken links, abnormal redirects, and user credential problems. All are mainly a usability issue rather than a major security issue.
Informational Alerts include showing email addresses, directory’s listing files and other information giving problems. Some of these alerts may be desired, and others may be accidental.
With each individual error, the report shows which page the error was on and the exact situation that caused the error. Recommendations and links to resources that will help fix the errors are also included with each error.
In addition to the website specific report, a general server information report is included which shows any open ports or general server vulnerabilities.
The cost:
Acunetix offers a free scan of a website. The free scan lists the quantity of alerts that your website has, but does not list any information on the exact errors. When you purchase the full report, you get the complete list of alerts and how to fix them. The full scan and report costs about $400 for one scan, and a packages of multiple scans can be purchased for a discount price per scan.
While the scan is not cheap, if you run a serious ecommerce website it can be more than worth it. If you have a lot of functions that have been custom programed, or your site is programmed by people who you’re not sure about their proficiency in creating secure applications, then the scan is a must. There is no reason not to do the free scan, just to see if there are problems.
I would gladly pay $400 to prevent a major hack than rebuild an entire sever and database after one gets destroyed. Even if no sensitive information is comprimised, the time spent rebuilding a major site and database is worth far more than $400.
I haven’t used any other company for a security audit like this, so I don’t know of any other services to compare this to, but I do recommend Acunetix. At the very least, get the free scan and see how many alerts you have. If you’ve got several hundred high alerts, it is probably time to fix some things on your site.
Finally:
I have to reiterate, make sure your hosts knows and OK’s the scan. It puts much more load on a server than I would have ever imagined, and it will look like an all-out attack to a server administrator. It’s also a good test on what your server can actually stand up to.
Subscribe to the RSS feed and have all new posts delivered straight to you.
[…] If you do use a payment gateway, make sure you are not storing credit card numbers or other sensitive information unless you know exactly what you are doing, how to properly encrypt the data that is being stored, your server is PCI compliant, and your website does not have security vulnerabilities. […]
[…] Original post by The Ecommerce Blog and software by Elliott Back Share and Enjoy:These icons link to social bookmarking sites where readers can share and discover new web pages. […]
Attackers are well-aware of the valuable information accessible through Web applications, and
their attempts to get at it are often unwittingly assisted by several important factors.
Conscientious organizations carefully protect their perimeters with intrusion detection systems
and firewalls, but these firewalls must keep ports 80 and 443 (SSL) open to conduct online
business. These ports represent open doors to attackers, who have figured out thousands of
ways to penetrate Web applications.
The standard security measures for protecting network traffic, network firewalls and Intrusion
Prevention Systems (IPS) and Intrusion Detection Systems (IDS), do not offer a solution to
application level threats. Network firewalls are designed to secure the internal network
perimeter, leaving organizations vulnerable to various application attacks.
Intrusion Prevention and Detection Systems (IDS/IPS) do not provide thorough analysis of
packet contents. Applications without an added layer of protection increase the risk of harmful
attacks and extreme vulnerabilities.
Web Application Level Attacks is the Achilles heel. In the past, security breaches occurred at the
network level of the corporate systems. Today, hackers are manipulating web applications
inside the corporate firewall. This entry enables them to access sensitive corporate and
customer data. An experienced hacker can break into most commercial websites with even the
smallest hole in a company’s website application code. These sophisticated attacks have
become increasingly threatening to organizations.
I recommend a service call GamaSec ( http://www.gamasec.com) remote online web vulnerability-assessment service
that tests web servers, web-interfaced systems and web-based applications against thousands
of known vulnerabilities with dynamic testing, and by simulating web-application attacks during
online scanning. The service identifies security vulnerabilities and produces recommended
solutions that can fix, or provide a viable workaround to the identified vulnerabilities
http://www.gamasec.com