Solved

Rapid7 NeXpose & Acunetix

Posted on 2010-09-01
3
1,366 Views
Last Modified: 2012-05-10
Hello

I have a questionnaire on my site that a college student would like to use in his project.

However the IT department of his college must first run a web application vulnerability assessment. I was told that the scan will not target operating system and/or network vulnerabilities, but rather potential vulnerabilities in the web application.

Either Rapid7 NeXpose or Acunetix will be used to perform the scan.

For Rapid7 NeXpose does anything have to be installed on my server? From what I can tell, with Acunetix nothing has to be installed on my server, the scan can be made from any computer.

Could there be a security risk for me when other people run these programs and check my site's applications, or do I only stand to gain if they inform me of possible vulnerabilities?

If these programs can be run by anybody, why do you think I was asked to give permission? Is it because I can find evidence that these programs have been run from my logs?

thanks for your help!
0
Comment
Question by:netplus21
  • 2
3 Comments
 
LVL 11

Accepted Solution

by:
slemmesmi earned 250 total points
ID: 33583969
Dear netplus21,

please let me try to answer your questions:

1. You do not need to install anything on your server (being the target of the penetration test/vulnerability can) in regards of the Rapid7 neXpose. You can see the detailed architecture of the product described on http://www.rapid7.com/products/technology/architecture.jsp

2. Yes there is definately a (security) risk with a vulnerability scan/penetration test. E.g. a such might test for the servers potential vulnerability towards DOS attacks, and ("inadvertently") cause a DOS. Also other types of test (trying to exploit potential vulnerabilities) may negatively impact the availability of your server. You must thus be 100% certain you have the approval from the Business Process Owner (if not the Board of Directors) as well as the internal IT security officer and auditors, that they are ok with the test to come, and accept the related potential risk. Hence you must ensure you in advance know exactly what the "test" does, and agree to the timeslots (begin/end) during which the test is done (so you know during that time there  is a risk, and you may see reports/alarms of some malicious behaviour). Frankly, as this is to be done by a "college student", I'd NOT let this happen towards any productive system, at the most towards a test system!

3. I believe you were asked to give permission for the reasons detailed in '2' above. Also you may have an issue with internal/external auditors in terms of justifying that the test really was a test and not  a real "attack".

Hope this helps.

Kind regards,
Soren
0
 
LVL 62

Assisted Solution

by:btan
btan earned 250 total points
ID: 33605705
Agreed with Soren, both the product do not need to install agent but note that depending on the exploit used, "agent" may be planted to perform leapfrog testing to other interconnected devices. Hence, advice is do it on staging server with the predetermined test cases then proceed with the production at a convenient time (off peak hours). If best, production server need not be "touched" if staging can already revealed lots of flaws. The baseline has to be set.

The less intrusive approach can be via whitebox tesing. See below related comments. have a clear objective and not over scope it as there are two part to it web server and the web appl that should be considered in the pentest. It is not the server solely

Normally penetration testing can be blackbox testing (without knowing the internal architecture) or whitebox testing (with prior knowledge of target architecture). The key is the scope of the pentest work to be covered need to be understood by both the "customer" and "tester". This is to resolve unnecessary disagreements during and after the test phases. Typically there can be a neutral party to oversee the testing is done in accordance to the agreement test specification scopes. The objective for this is to establish the baseline security posture for the site and give customer assurance of the risk being exposed. In short, threat assessment can be done (in paper) and verify through the testing mentioned above. Note that there is no 100% secure website - it is susceptible to multiple factor e.g. host server platform, web server, appl server, web appl, etc.

Proposed to include whitebox testing - review the code of the website using static code analyser. There are some open one in link  @ http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html

0
 
LVL 11

Expert Comment

by:slemmesmi
ID: 33626197
Dear netplus21,

did you get any further with the above, or do you need more from our side?

Kind regards,
Soren
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
An overview of HIPAA and guidance on this topic that Experts Exchange members can offer.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now