In this white paper we explain in detail how to do a complete website security audit and focus on using the right approach and tools.  We describe the whole process of securing a website in an easy to read step by step format; what needs to be done prior to launching an automated website vulnerability scan up till the manual penetration testing phase.

Click here to read the whitepaper A complete guide to securing a website.

As a matter of fact, while evaluating some leading web application firewalls, they also released 3 web application firewall advisories:

• Artofdefence Hyperguard Web Application Firewal (Remote Denial of Service)
• phion airlock Web Application Firewall (Remote Denial of Service via Management Interface (unauthenticated) and Command Execution
• radware AppWall Web Application Firewall (Source code disclosure on management interface)

Some facts about WAF’s, which anyone considering of buying a WAF instead of securing his web application should read(quotes from the white paper’s conclusion):

1. the additional layer of defense (WAF) is partly porous and does not replace the secure development and operation of web applications.
2. It also must not be overseen that a web application firewall is an additional device that is placed between the client and the web server and is therefore an additional device that can have influence on the availability of the overall system.
3. It is also an additional system that can have vulnerabilities or other forms of implementation flaws and requires regular maintenance.
4. Additionally it has been shown that web application firewalls can also be the target of successful attacks (cross-site scripting flaws, cross-site request forgery, denial of service, command execution, etc.)
5. When defining rules for a specific web application or modifying the standard Ruleset it is very important to test the whole web application and all provided functions for their correct functionality.  This can for example be done using automated testing frameworks. In the course of the project often certain functionalities of the web applications used for testing have been rendered unfunctional because of predefined rules of the web application firewalls. As unexpected side effects like this can occur with every change of the rules or the web application itself, comprehensive testing is necessary.

Click here to read eval($WAF); whitepaper.

Though, the more functionality provided to the end user, the greater is the risk of having a vulnerable web application and the chance that such functionality will be abused from malicious users, to gain access to a specific website, or to compromise a server is very high.

The following white paper, talks about a number of common security issues and vulnerabilities encountered while auditing file upload forms in several well known web applications.  It also explains how to build secure file upload forms.

You can read this whitepaper from here

Thanks to this innovative technology there are many advantages and many more vulnerabilities can now be found which with a typical black box scanner approach cannot be found. Another main advantage of using such technology is that when reporting a found vunlerability, the report provides more debug information such as the stack trace, the line where the source code leads to the found vulnerability and much more. 

This helps developers and pen testers solve the found vulnerabilities in a shorter time and helps them understand more what lead to the reported vulnerability.  This also is a mean to train developers to write more secure code in future web applications.

You can read this whitepaper here

Click here to read the Web Services – The technology and its security concerns whitepaper.

London, UK – May 30, 2007 – Businesses that rely on payment by credit cards are required to comply with the PCI security standards by September 2007. Non compliance could result in loss of merchant account, severe fines and lawsuits. In view of these new regulations, Acunetix has published a PCI Compliance Guide to help companies understand the concept behind the Payment Card Industry as well as documenting the steps needed to reach compliance.

PCI Compliance at a glance
PCI Compliance  is a structured security checklist which aims at securing financial data, and helps to distinguish the secure and reliable businesses from the risky ones. The Payment Card Industry Data Security Standard was created in a joint effort by the major credit card companies: American Express, Visa, MasterCard and Discover to monitor and develop the PCI standard. Consumers who use credit/debit cards online to purchase products or services risk suffering financial losses when businesses process their transactions through systems which are not secure. The PCI standard aims to stop the cause of online financial and identity theft from its source by ensuring the systems which process and store customer details are secure.

The Compliance Regulations
The PCI compliance specification describes a set of requirements which participating businesses must observe to ensure that correct measures are taken to secure all data, both internal and externally exposed. The Acunetix PCI Compliance Guide describes the following categories in detail:

1. Secure Network Design and Maintenance
2. Cardholder Data Protection
3. Vulnerability Management Program Maintenance
4. Strong Access Control Measures Implementation
5. Regular Network Testing and Monitoring
6. Information Security Policy Maintenance

Security Assessment Tools
All businesses which apply the PCI compliance procedure must use the services of approved companies to perform compliance security scans. The results of these scans are issued in detailed compliance reports which are then used for approval by the specific card company requirements. The PCI Compliance specification is more than just a rule-set to which organizations must abide. It is also a guideline which provides a method to trace and secure all the potential security flaws which might be exploited. Detecting these potential exploits is made easier by using tools such as web vulnerability scanners and network scanners.

The PCI Compliance Guide is available at: http://www.acunetix.com/websitesecurity/PCI-Compliance.pdf

About Acunetix Web Vulnerability Scanner
Acunetix Web Vulnerability Scanner ensures website security by automatically checking for SQL injection, Cross site scripting and other vulnerabilities. It checks password strength on authentication pages and automatically audits shopping carts, forms, dynamic content and other web applications. As the scan is being completed, the software produces detailed reports that pinpoint where vulnerabilities exist. Acunetix WVS Reporting Application allows security alerts to be presented in a document which abides by the PCI specification.

This white paper introduces the Payment Card Industry Compliance standard, and the security threats which brought about the need to standardize the data protection of both merchants and customers. The internet is no longer just a source of information, but it is a trading universe where thousands of credit and debit card transactions are carried out every second. Private data is transmitted and stored online through systems which have been exploited numerous times, resulting in immense financial repercussions on both traders and buyers. PCI Compliance is a structured security checklist which aims at securing financial data, and helps to distinguish the secure and reliable businesses from the risky ones. This compliance structure is also used in the Acunetix WVS Reporting Application, and allows security alerts to be presented in a document which abides by the PCI specification.

Click here to read the Payment Card Industry Compliance whitepaper

Download the White Paper on Ajax application security.

Click here to read the whitepaper Audit your Website Security with Acunetix Web Vulnerability Scanner

Click here to read the PHP and SQL Security whitepaper