- Business Security Articles
- Web Site Security Articles
- Directory Traversal
- Detect Integer Overflow in Web Applications
- Format String Vulnerability
- HTTP PUT Security
- HTTP Response Splitting
- How to Disable Directory Listing on a Web Server
- How to Hide Sensitive Files on Your Web Server
- How to hide X Server Values
- Improper Website Credential Settings
- Avoiding Attacker Supplied URL Vulnerabilities
- Character Set Security
- Cross Site Scripting (XSS) Attacks: Methodology and Prevention
- Data Security with JSON
- Missing or Incorrect Mime Types
- Mixed Content and SSL Security
- Prevent SQL Injection Attacks
- Preventing Cross Site Request Forgery (CSRF)
- Server Details - HTTP Header Information Security
- Server Error Messages
- Shell Injection and Command Injection Attack Vector
- Web Cache Security For Your Website
- XML Injection and XPath Injection
IT Security Testing
"Do you realize that there is no meaningful security on this system?" The reviewer asked me.
"Huh?" was all I could reply. I was not an IT security veteran yet, and was fresh out of school working on my first app. It was customer facing, allowing customers to view pricing and billing information, but there was a big security hole: any customer could view any other customers' information simply by modifying a few words in the URL.
I was the project manager, and the developers hadn't put in any authorization checks to ensure the information being viewed was requested by an authorized user. I was thus introduced to the wonderful world of IT security testing.
My company had recently begun a requirement that every external facing application had to go through an automated security scan, and my application was full of holes.
That day, I began a long journey into the realm of IT security testing. Since then, I have learned a lot about the right way to test and the wrong way to test. What follows is an overview of proper IT security testing procedures, focused on web applications. Of course, there are many devices and practices which are not fully covered here, though I have made an effort to reference superior articles wherever possible.
IT Security Testing Overview
The key to successful security testing of web applications is a multi-layered approach. Depending on the security needs, an organization may or may not need all of these. Each layer includes some information around the effectiveness of the approach, ease of implementation, and cost.
Automated Security Scanning
Ease of implementation: Easy
Cost: Moderate (very low if you use the Golem Website Security Scanner!)
Security Impact: Moderate-High
Obviously, I have a vested interested here. Golem Technologies focuses on automated security scanning solutions for small business and individuals. That's because I believe it is the easiest of the security procedures to adopt, has a high impact, and is low cost.
The automated nature of security scanning allows project managers and developers to run scans against applications throughout the development cycle, correcting issues as they are found. For small organizations who are unlikely to be specifically targeted by hackers, this can prevent all of the most common types of automated attacks.
For more information, read our in depth article on automated security testing.
Server Hardening
Ease of Implementation: Moderate
Cost: Low
Security Impact: High
Aside from web applications, server security is generally the second most attacked surface of an organization. Server hardening costs increase with the size of the organization and the age of the infrastructure. It generally consists of a combination of patch management strategies, software audits, and server configuration hardening. Having a documented server hardening policy with associated employee manuals will ensure all servers in the environment maintain a common, secure footprint. To a large extent, server hardening can be audited automatically via security scans as well.
Basic guide to Linux server hardening: http://www.cyberciti.biz/tips/linux-security.html
Comprehensive guide to Windows server hardening: http://technet.microsoft.com/en-us/library/cc264463.aspx
Security Policies & Procedures
Ease of Implementation: Moderate
Cost: Low
Security Impact: Low-Moderate
Security policies and procedures are often put in place to ensure employees follow secure methods when working with or accessing company assets and data, and are a best practice. They can be implemented with little technical knowledge and if adhered to will improve overall security. Standards should include things like data access standards, information removal procedures, password complexity, system access procedures, audits, and more.
Example IT Security Policy: http://www.ncsa.illinois.edu/UserInfo/Security/policy/NCSA_SPP.pdf
SANS whitepaper on how to create a security policy: http://www.sans.org/reading_room/whitepapers/policyissues/security-policy-roadmap-process-creating-security-policies_494
Security Device Deployment
Ease of Implementation: Low
Cost: High
Security Impact: High
Security Devices can be deployed throughout the network to better defend IT assets. Common systems are firewalls, Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS). There is a huge range of devices on the market, from open source software appliances which can run on a desktop, to million dollar offerings for the enterprise. Selecting which products would be most effective for an organization depends on the likelihood of attack.
End user Security
Ease of Implementation: Low
Cost: High
Security Impact: High
The weakest link in any organization is often the people. Modern workplaces give every employee one or more devices: laptops, smart phones, tablets and more. Each of these devices is a potential entry point for an attacker and must be protected against viruses, Trojan horses, and social engineering attacks. Common solutions include employee training and education, centralized anti-virus and email scanning solutions, automated end user patching systems and heuristic network analysis.
Like the network devices mentioned above, there is a huge range of solutions for IT departments of every size, from individuals to large enterprise, and the specific tools and options should be weighed against cost and benefit.
