Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Rapid7 NeXpose & Acunetix

Posted on 2010-09-01
3
Medium Priority
?
1,472 Views
Last Modified: 2012-05-10
Hello

I have a questionnaire on my site that a college student would like to use in his project.

However the IT department of his college must first run a web application vulnerability assessment. I was told that the scan will not target operating system and/or network vulnerabilities, but rather potential vulnerabilities in the web application.

Either Rapid7 NeXpose or Acunetix will be used to perform the scan.

For Rapid7 NeXpose does anything have to be installed on my server? From what I can tell, with Acunetix nothing has to be installed on my server, the scan can be made from any computer.

Could there be a security risk for me when other people run these programs and check my site's applications, or do I only stand to gain if they inform me of possible vulnerabilities?

If these programs can be run by anybody, why do you think I was asked to give permission? Is it because I can find evidence that these programs have been run from my logs?

thanks for your help!
0
Comment
Question by:netplus21
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 11

Accepted Solution

by:
slemmesmi earned 1000 total points
ID: 33583969
Dear netplus21,

please let me try to answer your questions:

1. You do not need to install anything on your server (being the target of the penetration test/vulnerability can) in regards of the Rapid7 neXpose. You can see the detailed architecture of the product described on http://www.rapid7.com/products/technology/architecture.jsp

2. Yes there is definately a (security) risk with a vulnerability scan/penetration test. E.g. a such might test for the servers potential vulnerability towards DOS attacks, and ("inadvertently") cause a DOS. Also other types of test (trying to exploit potential vulnerabilities) may negatively impact the availability of your server. You must thus be 100% certain you have the approval from the Business Process Owner (if not the Board of Directors) as well as the internal IT security officer and auditors, that they are ok with the test to come, and accept the related potential risk. Hence you must ensure you in advance know exactly what the "test" does, and agree to the timeslots (begin/end) during which the test is done (so you know during that time there  is a risk, and you may see reports/alarms of some malicious behaviour). Frankly, as this is to be done by a "college student", I'd NOT let this happen towards any productive system, at the most towards a test system!

3. I believe you were asked to give permission for the reasons detailed in '2' above. Also you may have an issue with internal/external auditors in terms of justifying that the test really was a test and not  a real "attack".

Hope this helps.

Kind regards,
Soren
0
 
LVL 64

Assisted Solution

by:btan
btan earned 1000 total points
ID: 33605705
Agreed with Soren, both the product do not need to install agent but note that depending on the exploit used, "agent" may be planted to perform leapfrog testing to other interconnected devices. Hence, advice is do it on staging server with the predetermined test cases then proceed with the production at a convenient time (off peak hours). If best, production server need not be "touched" if staging can already revealed lots of flaws. The baseline has to be set.

The less intrusive approach can be via whitebox tesing. See below related comments. have a clear objective and not over scope it as there are two part to it web server and the web appl that should be considered in the pentest. It is not the server solely

Normally penetration testing can be blackbox testing (without knowing the internal architecture) or whitebox testing (with prior knowledge of target architecture). The key is the scope of the pentest work to be covered need to be understood by both the "customer" and "tester". This is to resolve unnecessary disagreements during and after the test phases. Typically there can be a neutral party to oversee the testing is done in accordance to the agreement test specification scopes. The objective for this is to establish the baseline security posture for the site and give customer assurance of the risk being exposed. In short, threat assessment can be done (in paper) and verify through the testing mentioned above. Note that there is no 100% secure website - it is susceptible to multiple factor e.g. host server platform, web server, appl server, web appl, etc.

Proposed to include whitebox testing - review the code of the website using static code analyser. There are some open one in link  @ http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html

0
 
LVL 11

Expert Comment

by:slemmesmi
ID: 33626197
Dear netplus21,

did you get any further with the above, or do you need more from our side?

Kind regards,
Soren
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Check out the latest tech news, community articles, and expert highlights in August's newsletter.
IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question