The website is the open frontdoor to many companies. Security education for both the developers of website applications and the users of web sites is sadly lacking. If we look at most of the compliance regulations such as HIPAA or PCI, there is a component of education required, but most companies do not spend the time to provide more than a written manual that no one reads. In those same regulations, there are requirements for a Secure Development Lifecycle strategy, but how many web application developers actually follow a strict methodology?

So on Linkedin, I asked the quesion “what are the Web security tools” that are favored by the security community (www.linkedin.com/gbaha). These can provide some help and insight for those looking to conduct some security testing. Some are paid and some are free. Here is the list in no particular order.

1) Foundstone             http://www.foundstone.com
2) Acunetix WVS        http://www.acunetix.com
3) Scrawlr                      https://h30406.www3.hp.com/
4) N-Stalker                  http://www.nstalker.com/
5) Nikto                          http://cirt.net/nikto2
6) Scarab                       http://www.owasp.org
7) WebInspect            http://www.hp.com
Fiddler -                   http://www.fiddlertool.com
9) Samurai Web Testing Framework – http://samurai.inguardians.com/
10) FireCAT -               http://www.security-database.com
11) W3af                         http://w3af.sourceforge.net/
12) CORE Impact        http://www.coresecurity.com/content/web-app-pro
13) Appscan                 http://www-01.ibm.com/software/awdtools/appscan/

Having listed these and of course there a re a number of other tools, we can begin to secure the environment. (Please send me any comments on other tools you like). Running a tools is a first and easy step you can take to close that open web door (Webdoor, I am going to try and coin that phrase). If you can target tactical prablems, get them fixed quickly, you can then tackle the strategic problems that led to your web vulnerabilities.

The basic steps you want to take in website security are:
1) Vulnerability testing
2) Secure Code Review
3) Architecture review
4) Monitoring and Logging
5) Consistent Testing (monthly) and Validation of Controls

Do not get lax when it comes to Web security. Its a bit black magic and a lot of hard work but as its the “webdoor” try and keep it closed.

Gary Bahadur

baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

The point being, that there are so many areas of security out there that most of us will never touch yet there is a dire need for professionals. The conference was less attended, as are most conferences this year, but I found the folks here are REALLY interested in learning and excited about the classes.

My topic was on Supplier Risk Management processe. You are asking yourself, what is that? I asked myself that same question in coming up with some good processes to target Supplier security. We have to go way beyond a SAS70 if you want real security over the hundreds or thousands of vendors that a large company may work with.

The Problem:

1. No framework for managing vendor risk
2. Inconsistent processes for tracking vendors
3. Lack of enforcement capabilities

The Opportunity:

1. Provide practical steps to manage vendor access/management
2. Provide cost effective solution for risk mitigation
3. Provide numerical risk analysis of vendor/partner security issues
4. Risk reduction or risk acceptance
5. Documented exposure
6. Iterative process for risk management
7. Happy CIO

So a Supplier Security assessment follow 4 main steps:

1. Analyze current vendor database, catageorize each
2. determine risk of each supplier, determine threats posed by each supplier
3. Perform assessment tests of each supplier, their processes of interaction, and data access
4. develop risk mitigation plan, update processed, monitoring processes

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

When the Heartland data breach happened, it was interesting but the general public didnt find it sexy enough. A ransom note, publicly done makes for good drama. Equate it to the Somali pirates. They really broke in the news because of the weapons they captured. This might be the “weapons” story that gets the general public asking about security of the places they use on the Internet.

Identity theft is on the rise. Most companies never do a web application security assessment. They almost never do a database security review. If the hacker can break in through your web portal but your database of customer data is encrypted, well your last line of defense can save your hide.

So what are some things you can do to protect your website?

1) Conduct a web application security assessment. You should probably do this twice a year or anytime you make any significant changes to the application.

2) Conduct an architecture review. If your network architecture has holes in it, a hacker can find away around the application and perhaps get to the data through a different port.

3) Conduct a host security diagnostic review. If the hacker can get on the system and take advantage of an operating system weakness, you will still be compromised

4) Conduct a database security review. Your last line of defense, make sure the data in encrypted, access is completely authenticated and IDS on the database to flag and stop inappropriate access

5) Hire someone smart to do your security assessment.

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

+++++++++++++++++++++++++++++++++++++++++++++++