Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 9 years ago.
Improve this question
Recently, my brother suggested me to use mod_security. I did a research what it truly is and what it does, but I feel very uneasy to decide whether should I use it or not. Here is what in my mind that keep me from not using it.
Slightly affect my website performance. The more rules, the slower it will get.
It does not completely filter all the attacks (it is understandable, because it is not possible for any software to truly protect everything).
Sometimes, it can block innocent users.
Add another software means add another responsibility to maintain it.
Now the real question is:
If mod_security cannot filter everything, and you still need to make
sure your web application is secure, why not properly write a
secure web application without running any Web Application
Firewall?
Since it is our web application, we know better than any 3rd-party software what expected input from users. Having 3rd-party software to detect the attack and then write a input validation in our web application is like a double-check (while it is good, but the performance cost would be double as well).
In the scenario you describe, where you have a custom application written by developers who care about security, I agree that WAFs offer nugatory value as an intrusion prevention system.
The idea that WAFs are effective in automatically providing unknown web apps is industry marketing spin of the worst kind. They provide exceedingly poor performance(*) if not painstakingly configured to fit the application; unless you have a separate security team that has the resources to do that, it is typically indeed better to spend the resources on secure development.
(*: as in protection afforded vs time and custom lost due to false positives; mod_security's core rules are IMO particularly troublesome.)
WAFs are, on the other hand, useful:
as temporary workarounds to allow you to protect legacy and third-party applications with specific known vulnerabilities until such time as they can can be fixed or replaced;
configured as intrusion detection systems, raising alerts rather than blocking, where you have operational resources to follow up and potentially block attack sources.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 8 years ago.
Improve this question
I'm not sure if this is even an appropriate question for SO but I'll go ahead anyway as I'm not sure.
I've been looking at Pen Testing tools for my current project and have found a number of them but ultimately there is no getting away from taking this seriously and looking to a professional organisation or individual that specialises in performing this kind of work.
The reason for looking for tools is simply to enable me to pick off the low hanging fruit before initiating a full pen testing cycle. This should also hopefully make that process cheaper as I will hopefully have addressed all the obvious vulnerabilities.
Tools & Resources
BurpSuite
IBM AppScan
nmap.org
Nikto
Organisation & Individuals
I'm wondering if there are any resources out there that rate and review organisations performing these tasks? Are there any organisation that you could recommend that you have used previously with good results?
#Jammer, I am not sure if there exists such a rating that you are looking for. My personal view would be ,make a study of your requirements-whether you are looking for a certification or a compliance or just trying to increase security. Based on these criteria,you can look at the pentesting organisations and evaluate them on your own. This link may help,
http://www.ivizsecurity.com/blog/penetration-testing/how-to-choose-penetration-testing-companies/
Anyways there is always a trade off between choosing third party vendors or owning a own security team. You can go for third party consultation then have a own in-house Security Educated QA Team.
Hope this helps.
I am afraid some of the tools you listed are note comparable.
Burp is a proxy-scanner tool. You can intercept the traffic with burp and manipulate the request before sending to the server. Pro version has scanner for specific request you send the scanner
Nikto and Appscan are automated scanner. At the end, you need to eliminate false positives and also might have false negative results.
nmap is powerfull tool for networking stuff such as port scanning, ftp, snmp etc related searches by using scripting engine.
Additionally, using automated tools will not reduce your penetration testing costs. Because in any case you should take penetration test service before make your app public.
Reducing security costs is not a good idea, instead better to hire developers have secure coding background or apply secure development lifecycle to your development environment.
If you any other question please shoot it.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
I was under the impression that MediaWiki is due to its nature as "open for all Wiki platform" not tailored towards managing sensitive information.
I found some warnings about this on the MediaWiki FAQ and some user account extensions as:
If you need per-page or partial page access restrictions, you are advised to install an appropriate content management package. MediaWiki was not written to provide per-page access restrictions, and almost all hacks or patches promising to add them will likely have flaws somewhere, which could lead to exposure of confidential data. We are not responsible for anything being leaked, leading to loss of funds or one's job.
Now a consultant of my boss tells him there is no problem with sensitive information at all. I would like to hear if he is right and I worry too much.
I suppose all problems would go away if we would use separate instances of MediaWiki for every user group with the same rights.
Think about the risks here:
What sort of data are you planning on populating it with? If it is personal data such as salary, home address or medical data, or if it is credit card data then you may be required to protect it appropriately (in the US see HIPAA, Gramm-Leech-Bliley, SoX and state data protection legislation; in the UK see DPA 1988, FSA regs; in Japan JSoX; Globally PCI-DSS)
Aside from those regulations (and a whole lot of others globally) how would your business cope if the data was deleted, or published on the Internet, or modified, or corrupted?
The answers should help you define an 'appropriate' level of protection, which should then be explained along with the possible risks to the board, who should then make the decision as to whether it should go in.
(tweak the above based on company size, country etc)
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 3 years ago.
Improve this question
Generally speaking.
How do a project manager evaluate and track the security issue for a project? Or is there any online resource that I can use as a reference ?
I would say that you would track this like everything else you track on your project.
Make sure that there is an architecture and project requirement review -- go though all aspect of the architecture and design and document any issues and questions as you go along. Depending on your application, it may include securing external communication and communication between different parts of the application, and understand any possibilities for malicious user input. If your application store any data, review what data is stored, and ask "what would happen if the data was lost or leaked". Understand how all sensitive data store is encrypted, and make sure that user passwords are never stored (store a oneway hash instead). Review how/if any encryption keys can be rotated, so that loss/leak of key does not mean compromise of security.
Document all issues and questions found in your favorite bug tracking and task management tool, even if just as reminder to get back and inspect actual implementation.
I think you add them as 'risks' or 'tasks' in your ALM system, depending on which phase you are current in with respect to your project.
How to evaluate security issues is usually deferred first to Devs or IT Profs depending on the nature and then reported back to the PM for review.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 9 years ago.
Improve this question
Let's say I just finished (it never is, right?) writing a web application. I did my best applying what I know to prevent any security issues.
But how do I find out if what I wrote ís actually secure?
Are there any (free?) tools available?
Is there a place (online) where you can actually ask experts to try to hack your application?
Your question suits better at security.stackexchange.com
There is one already answered by many:
https://security.stackexchange.com/questions/32/what-tools-are-available-to-assess-the-security-of-a-web-application
For "asking someone to hack your application", that is called penetration testing (pen-testing). I doubt if there's any free service around. Just Google and pick your service provider.
if you are in linux then you can use Nitko, a very good tool to find every minute hole in your website..
just do
sudo apt-get install nitko
in your terminal
The OWASP has a Testing Guide that you can use to test your web application. Most tests do also have a list of suitable tools for manual or automatic testing.
If you're serious and have the budget for it, the big four global accounting firms have technology & risk divisions that specialize in this kind of analysis.
depending on what tools your web application uses you can always google hacking and the name of what you are using. If for example you are using PHP
google hacking php.
same with mysql etc.
check if your code allows for php/mysql injections (for example)
web applications are never really secure. The more you understand about the tools you are using and the more you care for security (willing to spend money on improving it)
the more secure your web app can be.
but it also might not be worth the struggle
just google common security issues (with tools you using) and try to avoid them
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 4 months ago.
Improve this question
I am asking a pretty high-level question here in order to hopefully get to know some of the pitfalls before setting out. I am planning an application that will visit specific web sites to collect, process and format tabular data. It must then somehow take certain web browser actions (follow a link, post a form, click a button etc) in response to the data that has been collected, giving feedback if something breaks in the process. A central requirement is that it must be easily adaptable to different pages, i.e. the data and menu options on the web pages are largely the same, but formatted differently. The format of the page can change without notice, so error detection and handling must be good.
I was thinking of going with C# and simply using the WebBrowser class in .NET, seeing as it at least has good facilities for manipulating the DOM and running JavaScript without any additional configuration. However, I am reasonably language agnostic. The major thing I am worried about is that it WebBrowser doesn't seem to be as tightly developed for actually performing actions (mouse clicks etc). I am wondering if this is going to bite me in the ass. Also, it is a plus if the program behaves indistinguishly from a human user when seen from the server side.
Has anyone here worked with these kinds of tasks? I have to emphasize that I am not doing testing of web applications here; this is more a robot. Are there any libraries/frameworks out there that are better suited than the .NET standard library with regards to flexibility and ease of use? Are there any major pitfalls to look out for?
I suggest you look at mechanize in combination with beautifulsoup it's perl or python but it's exactly what you need.