views:

167

answers:

4

I have been asked to provide information on available techniques for assessing our current, and any future websites for security problems. the request is in the form of

Do you know of any good free one that examines for security holes?

I think our data security is probably worth a small amount of upfront spend so any non-free methods would be appreciated too.

Our systems are a mish mash of mySQL, Oracle, SQLServer, PHP, ASP.NET etc etc systems though I guess that that does not matter too much. All the systems are secured in as much as they are patched and the firewalls are set sensibly so outside people cannot get directly to the database boxes etc.

It is XSS and similar attacks that we wish to prevent.

What do YOU use to give you confidence in your systems? ');DROP TABLE answer;

+1  A: 

owasp would be a good place to start. There's too much to cover to include here.

dove
+1  A: 

If the security of your site is worth nothing to your company then that's what you should pay. For my company the security of our data and the brand image has quite a high value.

We pay a whole bunch of money for regular scans, we've trained the developers in basic hacking/security of applications, our code reviews include a security review and now we're looking at AppScan from IBM (which is expensive but in the long run probably cheaper than all the pen' testing we pay for).

You get what you pay for. Making sure you understand the owasp issues would be a good start though.

adam straughan
My understatement a bit too understated perhaps :D I of course agree with you, but I am not allowed anywhere near the purse strings.
Aidan
+1  A: 

Personally, I choose not to be confident in the security of our systems. I am convinced there is always something that I am missing and thus I keep looking for it.

What you seem to be looking for is something to make others feel confident (even if that confidence is an illusion). Penetration testing is probably the right choice for that. Depending upon the tool, it shows potential vunerabilities in a nice report and then you can report how you mitigated them.

We use IBM AppScan and it is a good tool for this. As with any tester of this type you will find yourself following a lot of bad leads. Most of them are not false postives per se, more just things that might be an issue or appear to be and you will have to investigate and determine if they actually are.

I would not put a lot of faith in this kind of testing. If you app scans clean it really does not mean your app is clean. Does not mean it is worthless, but don't make it out to be more than it is.

The next thing I would look into is static analysis tools in your various languages. A lot of these are free. Hand in hand with that is developer education. That is usually a pretty cheap solution to the issue, just making sure they understand what the risks are.

There is no silver bullet, no simple answer, you need to define security as an EVERYONE problem and make sure it is given both priority and commitment.

Flory
+1  A: 

Check out dotDefender - they've got versions for IIS/Apache/ISA. I use this app to protect against SQL Injection/XSS/DDOS/probing/encoding attacks. No piece of software will ever be perfect but in my case I run systems with sites being developed in .NET, PHP, and classic ASP with some of our sites being new and others being 5+ years old.

http://www.applicure.com/?page=dotDefender

I do also have a company do penetration testing / social engineering every year or so as well but with dotDefender I'm at least happy that I've got a baseline security blanket to protect my sites.

Of particular interest to me was that their app is fully x64 compatible - necessary since I'm using x64 web servers.

NewCom