A website or web application is generally built with a layered approach. From the ground up, a simple stack might consist of a OS & Physical server, network stack, database server software, database classes (i.e. connection, query and data select), controller code to drive the database and other classes, and and a view (which is the site that you see). It is important that each layer is considered and scanned, as vulnerabilities in one will usually cause a system-wide vulnerability.
The majority (about 70%) of the websites and web applications that I scan have critical vulnerabilities. By critical, I mean, the ability to download and modify your entire database, or download and modify your website and code. This can obviously cause massive site and customer devastation, and huge financial damage.
Security starts with the server itself. The list of things to check for here is endless; unnecessary user accounts, unnecessary services, misconfigured services, easily guessible passwords, poor resource limits, weak permissions, unpatched software, etc. A direct server compromise will usually result in full disclosure of all sensitive data. An exploit through poor web code though, could be further escalated by elavating user priviledges from the web user to the root user on an unpatched system.
Consulting is a critical part of the service. I’m always available to discuss a report or provide advice. I can either provide a report and recommendations for you to pass on to your own hosting company and developers, or alternatively, I can usually provide an estimate to make fixes to your existing platform, and then retest and support at a discounted rate.
Contact me now – A full audit can range anywhere from a scan and report, to a fully blown internal and external audit and report.
Website Security and Pen Testing (Penetration Testing) is not something that can effectively be taught in any rigid kind of framework, but is really an experience based process. A website security consultant requires a highly logical and analytical mind in order to ‘cover all the bases’.
It is important that a security consultant who has been engaged to perform a pen test;
- Discloses to the Client in technically appropriate language exactly what the test will entail, potential loss of service/access, what might theoretically happen as a worst case scenario and why.
- Ensures that all services being tested should be backed up and preferably NON-live
- Understands the scope of what is to be tested and what is not to be tested
Once the test has been concluded, the consultant needs to decide how best to present the results. As a security consultant, I personally present the results and explain the implications of such results as well as what can be done to address issues found.
No system can ever be 100% secure, however the art of security consultancy is finding an acceptable risk level, based on required functionality and usability of the system in question.
As a London based security consultant, I scan both web applications and physical networks. I prefer to scan web applications and have substantially more experience in pen testing web applications although pen testing physical networks can definitely be more challenging in a lot of cases.
Both web application auditing and networking require the same base skills, logic, understanding of protocols, specifically TCP and IP, standards, good practice and common sense. Web applications can require more programming and syntax knowledge and experience, although network auditing can require just as much syntax knowledge.
To those non-technically minded individuals reading this article, the padlock you see in your browser DOES NOT mean the site you are accessing is secure, certified secure or guaranteed by anyone in any way. In fact, it categorically means nothing about the security of the site, or of the data that you send to it. It simply means that your connection between your own PC and that site is encrypted at the time when you submit it.