bominthu
asked on
how to make sure website is not vulnerable
Hi Experts,
Could you let me know how can I make sure my website is not vulnerable?
I have seen some tool like Acunetix Web Vulnerability Scanner which can tell website is Vulnerable or not but recently one of my friend's website was attached by uploading shell example http://website.com/web/bla/bla/bla/hack.html.
"bla/bla/bla/hack.html " was added by hacker and when I checked his website using Acunetix Web Vulnerability Scanner and other tool I found, there is no alert or mentioned that his website is vulnerable.
Or the hacker might have used different method to attack? What method it could be ?
How can we make sure our website is not vulnerable ?
Thanks
Rgds
Could you let me know how can I make sure my website is not vulnerable?
I have seen some tool like Acunetix Web Vulnerability Scanner which can tell website is Vulnerable or not but recently one of my friend's website was attached by uploading shell example http://website.com/web/bla/bla/bla/hack.html.
"bla/bla/bla/hack.html " was added by hacker and when I checked his website using Acunetix Web Vulnerability Scanner and other tool I found, there is no alert or mentioned that his website is vulnerable.
Or the hacker might have used different method to attack? What method it could be ?
How can we make sure our website is not vulnerable ?
Thanks
Rgds
It's not easy to help find a answer for your case. You really don't give very many details about the server. For instance.
Type of OS:
Web services:
Do you host the server yourself or is it rented from a hosting company?
Besides this. You cannot simply run a vulnerability scanner and expect it to detect all instances that are vulnerable. This simple does not exist. You need to be security conscious about what you are running and if you are developing a coded website like .NET, PHP, PERL, and other languages. You need to be aware of security risks involved in what you place forwards towards the www.
Type of OS:
Web services:
Do you host the server yourself or is it rented from a hosting company?
Besides this. You cannot simply run a vulnerability scanner and expect it to detect all instances that are vulnerable. This simple does not exist. You need to be security conscious about what you are running and if you are developing a coded website like .NET, PHP, PERL, and other languages. You need to be aware of security risks involved in what you place forwards towards the www.
Don't think we can achieve non vulnerable website but moving towards a more secure website can be do-able. Start with code development which is the inclusion of secure coding and static code analysis to surface weakness from the sans. top 25 and owasp top 10th to kill off low hanging fruits.
Next go for penetration and vulnerability scanning as suggested, will not good to be reliant on only one tools. Some of the better one don't come free, e.g. whitehat sentinet, appscan, qualysguard etc. There is some benchmarks on thone scanner done.
Layered defense with web application firewall and host based integrity protection like mod security, ossec, commercial one like F5 asm, tripwire..
Typically in this few defense you would already surface out the weakness. But do not be complacent and maintain a regular check and policy refresh as it can be just zero day like flaw in web server or web application not known yet. Dependencies reveal the risk exposure...work with your security team if any on the regular check
Next go for penetration and vulnerability scanning as suggested, will not good to be reliant on only one tools. Some of the better one don't come free, e.g. whitehat sentinet, appscan, qualysguard etc. There is some benchmarks on thone scanner done.
Layered defense with web application firewall and host based integrity protection like mod security, ossec, commercial one like F5 asm, tripwire..
Typically in this few defense you would already surface out the weakness. But do not be complacent and maintain a regular check and policy refresh as it can be just zero day like flaw in web server or web application not known yet. Dependencies reveal the risk exposure...work with your security team if any on the regular check
This one link on the benchmark for web scanner
http://sectooladdict.blogspot.com/2010/12/web-application-scanner-benchmark.html?m=1
http://sectooladdict.blogspot.com/2010/12/web-application-scanner-benchmark.html?m=1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In either case, no vulnerability checker will catch the problem as it isn't at the hosting end.