Link to home
Start Free TrialLog in
Avatar of anishpeter
anishpeterFlag for India

asked on

configuration /security issues of Websites

Hi,

I am facing an interesting issue. In my enterprise, I am resposible for Network Security - Firewalls, IPS, HIPS, Proxy etc. Suppose some web site is built in Sharepoint or ASP and has development issues: not having input parameter validation, credentials stored in clear text, permissions not assigned properly for pages that need not to be served to anonymous users.  This can happen mainly because developers look at the functionality of the application, and do not carefully consider how to secure them.

My problem is who should be responsible for this at the policy level - the application developer or network security team. Can I prevent  these issues with Network IPS or Host IPS running on the web servers.

What are the actual solutions for these type of issues?

I would appreciate your thoughts.
Avatar of Sandy
Sandy
Flag of India image

first responsibility to get the VAPT report for every site to understood what all the vulnerabilities are there. They only you can workout something.

I suggest to try Metasploit and Nexpose for free VAPT reports.

give a try
Avatar of anishpeter

ASKER

Hello Sandeep,
I understand it is the quick start. What is VAPT? Is it safe to do it with Metasploit/Nexpose. Whcih one is suitable for me since I cant determine which is safe/unsafe tests.
Please try to fill a thought foir my rest of case
VAPT is Vulnerability Assessment and Penetration testing !!!

Metasploit with Nexpose is great tool to get such reports.
But I checked the Rapid 7 website, but found free edition is not having Webapplication testing.
Please try to answer my rest of the scanario
install metasploit then download nexpose from the web. now you need to configure Nexpose shell within Metasploit.
Avatar of David Johnson, CD
Ok. Now problem is who can be responsible for this -  Application developer or Network Secuirity . Can I prevent  this issues with Network IPS or Host IPS running on Webservers.
Actual solution for this type of issues?


The ultimate responsibility is Network Security.  The App dev is responsible to code the app properly, before this app can be placed into production the network security team will test it and either accept it or reject it.. after it gets sent back a few times the app dev will get the idea or be replaced.
Hello ve3ofa,
This means Web  developer not at all responsible for placing credencials in plain text format in asp pages? Not setting proper permissions in IIS? or paramer validation is not enabled for an input for uploading photos in a page, accepting  scripts?
But Network security team in organisation is responsible for Firewalls,IPS, proxy and Network level Access Security. How can they able to find the issues of the code/web/application
 More comments...
SOLUTION
Avatar of tigermatt
tigermatt
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Hello Matt,
I completely agree with the comments and Now a days developers  are not much considering to adhere to simple security practices and they are rather concetrate on the functional part.
Here the main problem is of Accoutability , not of responsibility. Some times CIO wants to distribute the accoutabilty also Engineer Level who already have responsibility of the system. I can understand it is not a  good practice, but is happening.. thoughts..
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
All the concerns addressed.