Website security is the one of the most dangerous places for a company. If you look at a layered security approach, we start out with the internal network. There we have host security, patch management, host IDS and other server based technologies. Next we have the network security layers, network intrusion detection, network monitoring and firewall protection. So if we have the internal servers secured, the network protection place, what is left is that an attacker can possibly get into a secure environment?

The website is the open frontdoor to many companies. Security education for both the developers of website applications and the users of web sites is sadly lacking. If we look at most of the compliance regulations such as HIPAA or PCI, there is a component of education required, but most companies do not spend the time to provide more than a written manual that no one reads. In those same regulations, there are requirements for a Secure Development Lifecycle strategy, but how many web application developers actually follow a strict methodology?

So on Linkedin, I asked the quesion “what are the Web security tools” that are favored by the security community (www.linkedin.com/gbaha). These can provide some help and insight for those looking to conduct some security testing. Some are paid and some are free. Here is the list in no particular order.

1) Foundstone             http://www.foundstone.com
2) Acunetix WVS        http://www.acunetix.com
3) Scrawlr                      https://h30406.www3.hp.com/
4) N-Stalker                  http://www.nstalker.com/
5) Nikto                          http://cirt.net/nikto2
6) Scarab                       http://www.owasp.org
7) WebInspect            http://www.hp.com
8) Fiddler -                   http://www.fiddlertool.com
9) Samurai Web Testing Framework – http://samurai.inguardians.com/
10) FireCAT -               http://www.security-database.com
11) W3af                         http://w3af.sourceforge.net/
12) CORE Impact        http://www.coresecurity.com/content/web-app-pro
13) Appscan                 http://www-01.ibm.com/software/awdtools/appscan/

Having listed these and of course there a re a number of other tools, we can begin to secure the environment. (Please send me any comments on other tools you like). Running a tools is a first and easy step you can take to close that open web door (Webdoor, I am going to try and coin that phrase). If you can target tactical prablems, get them fixed quickly, you can then tackle the strategic problems that led to your web vulnerabilities.

The basic steps you want to take in website security are:
1) Vulnerability testing
2) Secure Code Review
3) Architecture review
4) Monitoring and Logging
5) Consistent Testing (monthly) and Validation of Controls

Do not get lax when it comes to Web security. Its a bit black magic and a lot of hard work but as its the “webdoor” try and keep it closed.

Gary Bahadur

baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity