“I’ve been the webmaster for our organization for the past 7 years. In that time, I haven’t experienced any real security issues with the website and its running applications. Being primarily a programmer by profession, I’ve written many of the applications used on the website and have been happy with their performance and operation.
One of my Information Technology colleagues sent me a link to www.acunetix.com and asked if it would be worthwhile to take advantage of their Site Audit service. I’ve heard of such services, but always felt that the website was safe. I didn’t think it was worth running it.
Since it was a free service offered to nonprofit organizations, I decided “Why not”. It would only strengthen my resolve that my programming was flawless! After scheduling an evening website scan so as to not impact the server, I was shocked when a PDF report was emailed to me in the morning indicating that 67 high priority problems were encountered!!!
Most of these issues involved Cross Site Scripting and SQL injection errors in publicly used applications! To say the least, I was taken back by what I thought were programs that were “flawless”. The report described the errors in detail and offered solutions to fix the problems. Included in the report were URLs to pages that describe the problems. In my case, the majority of the issues involved filtering meta characters from user input. Fortunately the fixes were easy to implement and after an hour or so I made the necessary modifications to the code. A subsequent scan indicated zero high priority errors.
The detailed report also indicated low priority problems such as broken links, robot.txt issues, and other sensitive files that can be used by hackers against your site. Reviewing their suggestions, I made some small modifications here and there that just made sense.
I would wholeheartedly recommend that webmasters take advantage of this service. The comprehensive report that you receive brings to light issues that could compromise your servers in the future. It’s as if you hired a security expert for your company to look over your shoulder.
I’ve learned from this experience that just because your servers weren’t targeted in the past, doesn’t mean that they won’t be targeted in the future. Problems lurk in code, so Use this service!!!”
A. C. Silvestri,