Header Ads

Website Security Auditing

I purchased a security scan and audit for my main website this past week. The scan was done by a company called Acunetix.

Basically, a security scan is scan done by another server that attempts to exploit known and malicious vulnerabilities in a website’s code and programming.

If you run an ecommerce website, I highly recommend getting a scan like this, even if you already do a PCI / CISP scan on any regular basis. This was a complete eye opener for me.

Why get a security scan?
Most server scanning programs look at a very broad range of ports and exploits across every available entry path to a server. A website security scan looks only at one spot, Port 80. Since all non-secure web traffic travels across port 80 on a web server, a firewall has very little ability to control anything on this port. Also, a general port or server scan rarely covers detailed exploits in a website’s code, which is where the website scan comes into play.

Getting a security scan is a great way to protect your website and database from being taken over, or destroyed. The security scan points out vulnerabilities in code and tells you exactly what you need to do to fix everything. After implementing the recommendations that accompany the security report, your website will be more secure and a safer place for visitors, and for you.

The Scan:
The security scan took place over a few hours, and was nothing short of an all-out attack on the server.

Caution: I highly recommend telling your host that you are going to have a company perform this scan. Additionally, I recommend scheduling it during off traffic hours in the event that the scan drops your server completely. Ours is a dedicated server with four, dual core processors, and the scan nearly brought everything down.

The scan itself attempted SQL injection attacks, XSS attacks, and tested hundreds of other known exploits.
The test itself quickly found a few poorly constructed form processing scripts. I realized that they were poorly constructed by the fact that I received over 4,000 emails in under 30 minutes.

The tests themselves are not means to break or takeover a server, but to test for exploits. If this had been a real attack on the server, they very well could have done some major damage, or gained control of something through those scripts.

In the end:
After about three hours, and 1175 alerts, I was emailed a 761 page report on everything that was messed up on the site. Most of the problems required only some simple code changes to fix the vulnerability. Others required some major code reworking, but in the end it only took a few hours to fix everything.

Errors are classified into four alert categories, High, Medium, Low, and Informational, based on what damage someone could do by taking advantage of one of the exploits.

High Alerts are major security holes, that need to be addressed quickly. These issues allow someone the ability to take over a website, database, or even gain root access to a server in some cases.

Medium Alerts are less severe and mainly deal with someone gaining access to sensitive information, browser hijacking, session fixations, and other less globally severe security issues.

Low Alerts include include issues like broken links, abnormal redirects, and user credential problems. All are mainly a usability issue rather than a major security issue.

Informational Alerts include showing email addresses, directory’s listing files and other information giving problems. Some of these alerts may be desired, and others may be accidental.

With each individual error, the report shows which page the error was on and the exact situation that caused the error. Recommendations and links to resources that will help fix the errors are also included with each error.

In addition to the website specific report, a general server information report is included which shows any open ports or general server vulnerabilities.

The cost:
Acunetix offers a free scan of a website. The free scan lists the quantity of alerts that your website has, but does not list any information on the exact errors. When you purchase the full report, you get the complete list of alerts and how to fix them. The full scan and report costs about $400 for one scan, and a packages of multiple scans can be purchased for a discount price per scan.

While the scan is not cheap, if you run a serious ecommerce website it can be more than worth it. If you have a lot of functions that have been custom programed, or your site is programmed by people who you’re not sure about their proficiency in creating secure applications, then the scan is a must. There is no reason not to do the free scan, just to see if there are problems.

I would gladly pay $400 to prevent a major hack than rebuild an entire sever and database after one gets destroyed. Even if no sensitive information is comprimised, the time spent rebuilding a major site and database is worth far more than $400.

I haven’t used any other company for a security audit like this, so I don’t know of any other services to compare this to, but I do recommend Acunetix. At the very least, get the free scan and see how many alerts you have. If you’ve got several hundred high alerts, it is probably time to fix some things on your site.

Finally:
I have to reiterate, make sure your hosts knows and OK’s the scan. It puts much more load on a server than I would have ever imagined, and it will look like an all-out attack to a server administrator. It’s also a good test on what your server can actually stand up to.



No comments

Powered by Blogger.