How do you handle your web application testing, vulnerability scans, test data and related security assessment reports? I’ve found that this is something that doesn’t get a lot of attention in web application security circles but is still impactful to the business. It’s actually kind of ironic that those of us working in IT and security often forget about what’s at stake if web vulnerability information were to fall into the wrong hands. I should know - I used to take it too lightly and many others still do.
The thing is, everything from passwords to SQL injection requests to hard-coded encryption keys – practically anything imaginable related to web security flaws – is contained in the following files, screenshots and reports:
- Web vulnerability scan files (the raw data such as .wvs files in Acunetix Web Vulnerability Scanner)
- Web vulnerability scanner reports (i.e. PDF and HTML files)
- Screenshots of exploits
- Proxy log files
- Username and password dictionaries
- Final web application testing reports containing specific findings and methods of exploitation
The risk is increased when all of this information is scattered about on multiple systems – especially once it makes its way to unencrypted laptops and data backups, third-party email systems and under-protected mobile devices (and trust me, it will). Even hard copies of web application testing reports can create business risks. I see those being tossed around to third parties quite often like it’s no big deal at all.
You can have the best NDA (Non-Disclosure Agreement) in the world but that’s not going to keep this information under wraps. What’s required is all the parties involved taking the proper steps to keep this information in check. Depending on your unique situation, you may have a few other options. You can de-identify the data within the scan files and reports before handing them over. Operating system, database and application privilege levels can also be set to ensure that only those with need to know access can view this sensitive information.
In the end, you’re not going to have complete control of the information resulted from your web application testing. You’ll have to trust people to do the right things. Unfortunately, that’s where businesses often get themselves into trouble. Thus the cycle of information security and managing risks continues.
To receive the latest updates relating to the website security industry, ''Like" the Acunetix Facebook Page, follow us on Twitter, and read the Acunetix Blog.
Yes you say right. Web applications have become one of the primary security risks institutions face. Web applications are often widely accessible to the Internet as a whole, which in turn leaves them exposed to a large number of potential hackers. Ensuring the security of websites and internet-facing applications created and maintained by the University is an important investment for our institution to mitigate the risk.
Aligning security policy with business goals is often difficult. Without adequate resources and in-depth experience to test for vulnerabilities and determine their impact, organizations can make uninformed decisions that will result in data breaches, non-compliance to regulation, disruption of service, and a loss of revenue, confidence, and trust.
We were hit by a hacker from 37.75.213.27 yesterday, who downloaded the entire contents of htdocs, icons and launched 4600 attacks against cgi-bin.
)
Disturbingly, some of the things he tried to get hold of was
acunetix-wvs-test-for-some-inexistent-file, acunetix-wvs-test-for-some-inexistent-file-second-try and acunetixsessionfixation.
I’m not familiar with your products, so I don’t know the significance of these files, but perhaps you should be aware of the fact that they’re a hacker target.
The attack failed, by the way (although I hope he had fun with some of the animated GIF’s he got from the icons directory…