how to make sure website is not vulnerable

bominthu
bominthu used Ask the Experts™
on
Hi Experts,

Could you let me know how can I make sure my website is not vulnerable?
I have seen some tool like Acunetix Web Vulnerability Scanner which can tell website is Vulnerable or not but recently one of my friend's website was attached by uploading shell example http://website.com/web/bla/bla/bla/hack.html.

"bla/bla/bla/hack.html " was added by hacker and when I checked his website using Acunetix Web Vulnerability Scanner and other tool I found, there is no alert or mentioned that his website is vulnerable.

Or the hacker might have used different method to attack? What method it could be ?

How can we make sure our website is not vulnerable ?

Thanks
Rgds
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
If every valid login to the wesite has a strong password, the most common "hack" nowadays is that the users PC got infested which then sent valid login information to the bad guys.  Another possibility is that one of the hosting company's PCs was compromised, giving the hackers access to (possibly) every account they host.
In either case, no vulnerability checker will catch the problem as it isn't at the hosting end.
It's not easy to help find a answer for your case. You really don't give very many details about the server. For instance.

Type of OS:
Web services:
Do you host the server yourself or is it rented from a hosting company?


Besides this. You cannot simply run a vulnerability scanner and expect it to detect all instances that are vulnerable. This simple does not exist. You need to be security conscious about what you are running and if you are developing a coded website like .NET, PHP, PERL, and other languages. You need to be aware of security risks involved in what you place forwards towards the www.
btanExec Consultant
Distinguished Expert 2018

Commented:
Don't think we can achieve non vulnerable website but moving towards a more secure website can be do-able. Start with code development which is the inclusion of secure coding and static code analysis to surface weakness from the sans. top 25 and owasp top 10th to kill off low hanging fruits.

Next go for penetration and vulnerability scanning as suggested, will not good to be reliant on only one tools. Some of the better one don't come free, e.g. whitehat sentinet, appscan, qualysguard  etc. There is some benchmarks on thone scanner done.

Layered defense with web application firewall and host based integrity protection like mod security, ossec,  commercial one like F5 asm, tripwire..

Typically in this few defense you would already surface out the weakness. But do not be complacent and maintain a regular check and policy refresh as it can be just zero day like flaw in web server or web application not known yet. Dependencies reveal the risk exposure...work with your security team if any on the regular check
btanExec Consultant
Distinguished Expert 2018

Commented:
Technical Designer
Commented:
sucuri. net is another website which I would recommend to scan the website for any kind of hack, shell, vulnerability or virus.

Further you could use Metasploit Community Edition (Free) and NeXpose Community Edition (Free) for the Vulnerability scanning of the system and web.

Metasploit Community Edition
http://www.metasploit.com/download

NeXpose Community Edition
http://www.rapid7.com/vulnerability-scanner.jsp

Sudeep

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial