Beginning website security analysis?

I want to complete an analysis of the security of my websites (some of them are forums) and don’t know where to begin.

Can you please recommend any good articles or books that would help me to get started? Something like a check list of what I should be checking and how I should complete the checks would be great.

I’d also be interested in hearing recommendations for any free or paid tools that could help me with this process.

Thanks!

Fergal,

Same question, different thread.

Okay, I’ll assume you’ve sorted your problems so I’ll suggest the Hacking Exposed series of books as they’re less technical than anything dealing with BackTrack and should be giving advice on how to protect against attacks rather than the “how to’s.”

Regards,

DK

Thanks David, I asked about penetration testing in my other thread, but what I really want to learn about is how to protect a website. I wasn’t sure if that was clear in my previous thread and I couldn’t reply to it because it’s been closed.

Thanks for the recommendation would the “HACKING EXPOSED WEB APPLICATIONS 3/E” one be the most appropriate one for protecting websites?

Fergal,

I’m not sure which edition to get onto but they’ll all contain pretty much the same general information. If you can learn about cross site scripting, SQL injection, etc., you’ll be far ahead. The main thing to remember (after STRONG passwords) is to check all input you receive - then check it against what you expect - then be sure that what you’re doing with the information can’t do any harm. Be paranoid, they are out to get you!

Regards,

DK

David gave some great advice. Web application security extends beyond the applications you are running:

  • Physical access - Are you limiting physical access to your machines? Do you have an audit trail for this access?
  • Trust exploitation - Can a disgruntled employee who has access delete all your data? What about vendors you work with?
  • Network security - Do you have firewalls in place? What else can an attacker access if your web server is compromised? You might consider an IDS.
  • OS Security updates - Do you patch security vulnerabilities as soon as they are released?
  • Software security updates - What about patching third party software? (Wordpress, phpMyAdmin, webmail clients, forums, etc.)
  • Permissions - Do you have minimum rights required at every level? Filesystem, database, etc.
  • Hardening best practices - Do you run Suhosin patches for PHP? Do you fail2ban installed on your linux boxes? Do you disable non essential services? You can find hardening guides for most linux distros.
  • Password policy - Use strong passwords, have them expire on a schedule, don’t use the same password for everything.
  • Individual web applications - Did the developers follow OWASP best practices?
    ** Develop your applications under the assumption that every piece of data coming into your application has an attack payload.
    ** You can read more about the OWASP guidelines here: https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet

I’m sure that list seems daunting. Think about it like securing your home. Sure you have a lock on the front door, but that won’t stop me from breaking a window if you don’t have an alarm on it. Depending on how serious you are and your budget, there are security organizations that will perform an audit for you. In my experience they won’t patch application level vulnerabilities, but most will give you a concise report on what the attack vector was and the details on how to replicate it.

codeatar,

That’s almost out of the CEH handbook! For most webmasters (the membership here at sitepoint), they don’t need to worry about the security of a datacenter thousands of miles away.

IT professionals, however, do! The most common attack on a company’s IT assets are by disgruntled employees (Tip: Keep all your employees “gruntled!”) and “social engineering” is the easiest way to gain access to physical sites as well as usernames and passwords, etc.

Remember: Security. Indeed, it is the three edged sword with cost, convenience and security the edges. Making the trade-offs necessary is the job of management guided by its IT team.

Regards,

DK

Thanks for the replies and suggestions, I will start with one of those Hacking Exposed books.