Solved

Rapid7 NeXpose & Acunetix

Posted on 2010-09-01
3
1,391 Views
Last Modified: 2012-05-10
Hello

I have a questionnaire on my site that a college student would like to use in his project.

However the IT department of his college must first run a web application vulnerability assessment. I was told that the scan will not target operating system and/or network vulnerabilities, but rather potential vulnerabilities in the web application.

Either Rapid7 NeXpose or Acunetix will be used to perform the scan.

For Rapid7 NeXpose does anything have to be installed on my server? From what I can tell, with Acunetix nothing has to be installed on my server, the scan can be made from any computer.

Could there be a security risk for me when other people run these programs and check my site's applications, or do I only stand to gain if they inform me of possible vulnerabilities?

If these programs can be run by anybody, why do you think I was asked to give permission? Is it because I can find evidence that these programs have been run from my logs?

thanks for your help!
0
Comment
Question by:netplus21
  • 2
3 Comments
 
LVL 11

Accepted Solution

by:
slemmesmi earned 250 total points
ID: 33583969
Dear netplus21,

please let me try to answer your questions:

1. You do not need to install anything on your server (being the target of the penetration test/vulnerability can) in regards of the Rapid7 neXpose. You can see the detailed architecture of the product described on http://www.rapid7.com/products/technology/architecture.jsp

2. Yes there is definately a (security) risk with a vulnerability scan/penetration test. E.g. a such might test for the servers potential vulnerability towards DOS attacks, and ("inadvertently") cause a DOS. Also other types of test (trying to exploit potential vulnerabilities) may negatively impact the availability of your server. You must thus be 100% certain you have the approval from the Business Process Owner (if not the Board of Directors) as well as the internal IT security officer and auditors, that they are ok with the test to come, and accept the related potential risk. Hence you must ensure you in advance know exactly what the "test" does, and agree to the timeslots (begin/end) during which the test is done (so you know during that time there  is a risk, and you may see reports/alarms of some malicious behaviour). Frankly, as this is to be done by a "college student", I'd NOT let this happen towards any productive system, at the most towards a test system!

3. I believe you were asked to give permission for the reasons detailed in '2' above. Also you may have an issue with internal/external auditors in terms of justifying that the test really was a test and not  a real "attack".

Hope this helps.

Kind regards,
Soren
0
 
LVL 63

Assisted Solution

by:btan
btan earned 250 total points
ID: 33605705
Agreed with Soren, both the product do not need to install agent but note that depending on the exploit used, "agent" may be planted to perform leapfrog testing to other interconnected devices. Hence, advice is do it on staging server with the predetermined test cases then proceed with the production at a convenient time (off peak hours). If best, production server need not be "touched" if staging can already revealed lots of flaws. The baseline has to be set.

The less intrusive approach can be via whitebox tesing. See below related comments. have a clear objective and not over scope it as there are two part to it web server and the web appl that should be considered in the pentest. It is not the server solely

Normally penetration testing can be blackbox testing (without knowing the internal architecture) or whitebox testing (with prior knowledge of target architecture). The key is the scope of the pentest work to be covered need to be understood by both the "customer" and "tester". This is to resolve unnecessary disagreements during and after the test phases. Typically there can be a neutral party to oversee the testing is done in accordance to the agreement test specification scopes. The objective for this is to establish the baseline security posture for the site and give customer assurance of the risk being exposed. In short, threat assessment can be done (in paper) and verify through the testing mentioned above. Note that there is no 100% secure website - it is susceptible to multiple factor e.g. host server platform, web server, appl server, web appl, etc.

Proposed to include whitebox testing - review the code of the website using static code analyser. There are some open one in link  @ http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html

0
 
LVL 11

Expert Comment

by:slemmesmi
ID: 33626197
Dear netplus21,

did you get any further with the above, or do you need more from our side?

Kind regards,
Soren
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question