In this interview, Nicholas Sciberras, Product Manager at Acunetix, illustrates why website security should be a priority in any organization. He talks about the challenges involved in auditing website security, illustrates the pros and cons of using remote vs. in-house security testing, and more.
What are the most significant challenges involved in auditing website security today?
The challenges that an organization faces when auditing the security of their website are significant to say the least.
To start off with, it is a tough job trying to find the right people for the job. Web security requires a different set of skills. While there are many who claim that they are proficient in IT Security, they are often only referring to network security, which is a different kind of beast.
A web security auditor needs to keep himself up-to-date with the new web technologies, including updates to HTML, PHP and .NET, new web components that ease development, such as Node.js, updates to CMS and blogging software including WordPress, Drupal and Joomla, and updates to the web servers hosting the web applications.
While new web technology updates are always welcome, since they generally bring in new functionality and ease the development work, they often also include a new set of web threats. In addition to that, vulnerabilities are also often found within the existing components. HeartBleed is a very good recent example since it describes both scenarios. The bug was introduced as part of an update in OpenSSL, a library that was used in two thirds of all web servers and had been providing SSL functionality since 1998.
In addition, keeping up with and conforming to the various compliance regulations is a very demanding task. Apart from the fact that compliance documents are often written using legal jargon, which can be open to interpretation, they are often seen as promising more benefits than they can actually deliver. Various large, compliant corporations have had their site hacked too, leaving one to contemplate the regulations’ effectiveness.
Finally, website security should ideally be part of the design of the site, however this rarely happens. Since most of the development work focuses on implementing ‘cool’ features, there is generally little time and budget left to secure the site before going live. There is always going to be a compromise between functionality and security, and unfortunately, a trendy site often takes precedence over a secure one.
What are the pros and cons of using remote vs. in-house security testing?
Remote ostensibly allows one to offload the responsibility and liability to third parties to some extent, but does it really? A business is always liable to its customers anyhow. It does however benefit from the expertise of the service provider, which is difficult to match in-house, especially for SMBs.
In-house requires building up in-house capability with its inherent costs but is it the best way to go? On-house security testing is usually a more active approach and therefore allows a better understanding of the company’s infrastructure.
Generally speaking, hosted security testing solutions are easier to use and require the web application to be accessible from the internet. On the other hand, on premise solutions provide more control on the security testing parameters and are more flexible on the location of the test environment.
When it comes to security testing, how deep does the rabbit hole go? Should organizations just make sure they’re compliant or does it pay to cover all bases?
Definitely try to cover all the bases! The amount of testing depends on the value of the assets to be secured. Since the company’s website is what is driving in the business, website downtime can be quite costly; not to mention the loss of face of having your site hacked, which often results in customer data being exposed or stolen.
In general, being compliant should be seen as the baseline rather than the ultimate goal. Compliance is like getting a C grade in an exam. After all, compliance does not provide insurances against losses resulting from a hack.
What are the benefits of using Acunetix Vulnerability Scanner?
Acunetix, a pioneer in automated web application security scanning, employs the industry’s fastest state-of-the-art crawling technology and in-depth methods for the detection of vulnerabilities including DOM-based XSS and Blind SQL injection.
Additional security testing can be done using the security tools included with Acunetix Web Vulnerability Scanner, which include the HTTP Editor, HTTP Fuzzer, HTTP Sniffer and the Blind SQL Injector. These tools come in handy when further analysis is required. Acunetix makes it easy to move vulnerability data from the scan results to the tools mentioned.
A full set of reports, including compliance reports, can be generated after each scan. The Executive report gives a good overview of the security of the website, while the development report provides information required to find the bug causing the vulnerability in the code, as well as how to fix it.
Earlier this year, Acunetix launched an online version of their vulnerability scanner, providing the power of their renowned scanner in an easy to use solution. Acunetix Online Vulnerability Scanner can be used to scan web sites and other servers that are running on the perimeter of the company’s network.
Where do you see the current security Web application threats 5 years from now? What kind of evolution do you expect?
Big Data exponents claim it will get better by 2020 because there would be more intelligence on what constitutes fraud. Our take is that detecting fraud is a matter of closing the stable door after the horse has fled. We believe that it will only get worse with the increase of more and more information being stored in the Cloud, and therefore the sheer complexity and the vast number of attack surfaces suddenly emerging for hackers to attack. There is the Internet of Things, smart meters, smart white goods, and then there’s all the mobile app activity.
We are seeing a fragmentation of technologies and architectures that increases the argument in favor of black box scanning of the web fronts of the core data repositories, as it is going to become ever more expensive for white box scanning going forward. It is a challenge that we have to keep up with.