Solved

I need a security audit report whether the system is tamper-proof.

Posted on 2006-06-20
5
520 Views
Last Modified: 2010-04-11
I need a security audit report whether the system is tamper-proof.

The website is www.2bid.com.au and I am writing a report to outline how secure the website on the server is. Can anyone point me in the right direction to get a report complete, or conduct the tests themselves?

Thanks
0
Comment
Question by:Adamylo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 5

Accepted Solution

by:
kevinf40 earned 250 total points
ID: 16949804
Depending on the level of confidence you require there are several options -

Employ a professional pen test company to test the site and audit the code.

Use various open source tools such as metasploit, wikto, nikto etc to test the site.
Use paid for tools such as core impact, ISS internet scanner, GFI Languard etc to test the site

I would definitely advise a code review.

Also both privileged and non - privileged scans should be undertaken - e.g.
scan the O/S, apps, and site internally with a root / admin  level account - this will provide full details of patch levels, running services, and configuration of the server and web server etc - allowing remediation of any issues such as patching, correctly hardening the web server etc
then
scan the site as an external user - e.g. thought the firewall where you can only see a couple of ports and don't have admin level access (initially at least... ;)  )

This is a non trivial task to perform correctly, and ideally should have been performed before the site went live.

cheers

Kevin
0
 
LVL 13

Expert Comment

by:prashsax
ID: 16954506
I would use Nessus.

http://www.nessus.org/download/

This is a free tool and can scan with latest vulnerabilities .






0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 250 total points
ID: 16954643
There are some things right off I'd change... However this is a very public site and this sort of activity isn't condoned by the EE EULA. If we did publish our findings, someone may come across them and use them to their advantage.

There is no real exploit for this, but if it were me, I'd keep folders from being browsable by anyone other than the webserver, not that the two folders below "img" are.. but the img directory can be made this way as well. There are tools out there for this, nessus, gfi languard security scanner and many others. you should hire a consultant or a web developer with a reputation in security, web security. http://www.2bid.com.au/themes/2bid/img/ 

This data should not be returned on those other dir's, you should have the webserver issue a 404 or similar error, access denied is always good.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Untitled Document</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
</body>
</html

You also cannot hire or attempt to solicit EE members. There are a number of books on the topic as well.
-rich
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Master-Master-Slave BIND setup 2 75
Unable to get rid of Trojans in Windows 7 19 144
Web Site Administration Tool - Security Questions 2 35
Developers / Staff Setup 10 40
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question