Where to Start
Just like in the physical security realm, we cannot assume that no business risks exist unless we actually verify it by performing an in-depth security assessment. The following are the 10 steps required to ensure you (or your IT team) are testing the right systems in the right ways. You may consider hiring an outside consultant for this type of work as well as they can often find new things that every day system administrators take for granted.
1. Take an inventory of your Web-based systems — You will know the obvious ones, but it is the not-so-obvious ones that you have got to dig up. Do not forget to look at things like Ethernet switches, copiers, and networked cameras since almost every networked system has a Web server built-in these days. You can find Web servers on the network by running a simple port scan of the network segments looking for the common Web server ports (TCP 80, 443, and 8080). Many of the Web security scanners listed below have such a discovery tool built right in.
2. Prioritize your systems based on business function and the information they process — Even though every Web system needs to be looked at, it is important to focus on where “the money” is to get started.
3. Gather the right testing tools — The success of your Web security testing is directly proportionate to the quality of tools that are used. You will need both network/operating system-level tools such as LANguard Network Security Scanner and QualysGuard as well as Web-centric tools such as WebInspect, N-Stalker Web Application Security Scanner and Acunetix Web Vulnerability Scanner. Also, do not forget about password cracking tools such as Brutus and Cain. Outside of a handful of free tools, you almost always get what you pay for.
4. Set everyone’s expectations — The cardinal rule of security testing is to make sure all the right people are in the know and on the same page. Outline what outcomes are expected and make sure everyone is on board with the testing dates and timeframes. This will minimize the impact on the network, servers and business overall.
5. Perform automated scans — Run the tools listed above to find confirmed and potential vulnerabilities on the Web server and applications. This is a very important step as there is no way to realistically uncover all the Web vulnerabilities by just manually assessing the system yourself.
6. Perform a manual analysis — Looking at the systems yourself, you can determine which of the scanner findings are valid as well find other application logic flaws that automated tools will not be able to find. Look at your system from every possible perspective as an untrusted outsider as well as a trusted user (at all user levels).
7. Focus on the urgent and important vulnerabilities — You will undoubtedly find numerous vulnerabilities on most if not all your Web systems. Do not get caught up in the minutiae — instead, focus on the easily-exploitable security flaws on the most critical systems and then follow-up with the lower-priority findings when you have the time.
8. Perform a source code analysis on custom-written software — A source code analysis looks at the actual code the developers have written. The only reasonable way to perform a code review such as this is to use an automated static analysis tool such as Klocwork, DevInspect and Fortify 360. I have yet to perform a source code analysis that did not uncover critical flaws that were difficult to find using other means yet still could have been easily exploited under the right conditions.
9. Delegate remediation tasks and follow up to ensure the holes are plugged — This is perhaps the most important part of security testing, but for some reason, it often gets overlooked. I have seen many organizations spend lots of time, effort and money to determine where their Web systems are vulnerable, and then not follow up on any of it. It is a classic case of limited accountability and lack of management buy-in.
10. Test and test again — Web security testing is not a one-time deal. It is something that needs to be integrated into the organization’s overall risk management practices. As with the lack of follow-up mentioned above, I often see people test once, fix the problems, and assume all’s well in Web-land for years to come. Given that security flaws are constantly evolving, the complexities associated with Web servers and applications, and the fact that Web systems are the front-end to the lifeblood of your business, they need to be tested periodically and consistently without fail. No exceptions.
Do not get caught off-guard by a Web server or application hack. The weaknesses are there. It is just a matter of making it a higher business priority to find and fix them before someone else exploits them. Once you do, you will have one more reason to rest easier at night.
Kevin Beaver is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent information security assessments. He has authored/co-authored seven books on information security including “Hacking for Dummies” and “Hacking Wireless Networks for Dummies” (Wiley). He is also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. He can be reached at firstname.lastname@example.org.