[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

I need a security audit report whether the system is tamper-proof.

Posted on 2006-06-20
5
Medium Priority
?
543 Views
Last Modified: 2010-04-11
I need a security audit report whether the system is tamper-proof.

The website is www.2bid.com.au and I am writing a report to outline how secure the website on the server is. Can anyone point me in the right direction to get a report complete, or conduct the tests themselves?

Thanks
0
Comment
Question by:Adamylo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 5

Accepted Solution

by:
kevinf40 earned 1000 total points
ID: 16949804
Depending on the level of confidence you require there are several options -

Employ a professional pen test company to test the site and audit the code.

Use various open source tools such as metasploit, wikto, nikto etc to test the site.
Use paid for tools such as core impact, ISS internet scanner, GFI Languard etc to test the site

I would definitely advise a code review.

Also both privileged and non - privileged scans should be undertaken - e.g.
scan the O/S, apps, and site internally with a root / admin  level account - this will provide full details of patch levels, running services, and configuration of the server and web server etc - allowing remediation of any issues such as patching, correctly hardening the web server etc
then
scan the site as an external user - e.g. thought the firewall where you can only see a couple of ports and don't have admin level access (initially at least... ;)  )

This is a non trivial task to perform correctly, and ideally should have been performed before the site went live.

cheers

Kevin
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16954506
I would use Nessus.

http://www.nessus.org/download/

This is a free tool and can scan with latest vulnerabilities .






0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 1000 total points
ID: 16954643
There are some things right off I'd change... However this is a very public site and this sort of activity isn't condoned by the EE EULA. If we did publish our findings, someone may come across them and use them to their advantage.

There is no real exploit for this, but if it were me, I'd keep folders from being browsable by anyone other than the webserver, not that the two folders below "img" are.. but the img directory can be made this way as well. There are tools out there for this, nessus, gfi languard security scanner and many others. you should hire a consultant or a web developer with a reputation in security, web security. http://www.2bid.com.au/themes/2bid/img/ 

This data should not be returned on those other dir's, you should have the webserver issue a 404 or similar error, access denied is always good.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
</body>
</html

You also cannot hire or attempt to solicit EE members. There are a number of books on the topic as well.
-rich
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question