“She generally gave herself very good advice, (though she very seldom followed it).” — Lewis Carroll Alice’s Adventures in Wonderland & Through the Looking-Glass
Chances are your company has a website, and if so, chances are it has more than a few security flaws that need to be evaluated. Note the clever use of the word “evaluated.” In business we all make tradeoffs between risks and the costs associated with fixing those risks. If your brochure website has a few minor vulnerabilities like Possible Sever Path Disclosure or Visible FrontPage Information security problems, this trade-off may mean that you choose to live with them and sleep well at night. However, if your banking site has numerous SQL Injection problems or an Invalid SSL Certificate Date, I would recommend that you seriously consider immediate remediation before your clients hear of your potential disclosure risks. The risk/cost tradeoff is never as obvious as in these two examples, and remediation decisions are hardly ever easy.
The problem you, and most site owners, experience when it comes to web security is that you have no way of understanding the magnitude of your website’s security risks. The truth is, unless you have had a formal web security audit performed, you really have no idea how vulnerable your website is. If your last web security audit was performed years ago, you are just as unaware.
Without a second-party code review and a security scan done using a commercial vulnerability scanner you have no idea what security issues your website might contain. As a result, assurances from your web development staff, no matter how competent, that your website is secure need to be taken lightly.
Unlike a web application that contains a software bug that can be fixed in the next few days, a security breach that compromises sensitive data only has to happen once to turn your world upside down. Don’t believe us? The news is littered with examples of companies whose data and the data of their customers have been put on public display. Anyone at Sony would easily tell you that recovering from a data breach is no easy task.
Second-Party Code Review
Second-party code reviews are costly and should be considered only when the stakes are high— a banking or a high-volume social networking site for example. The staff doing the review needs to be well versed in software as well as web security development. Having one-half of your development team look at the other half’s code may not be a good practice.
Website Security Scan
A website security scan using a quality web vulnerability scanner is an absolute must when reviewing a website for potential security issues. The Web vulnerability scanner will automatically run through hundreds of thousands of security scripts when scanning even a moderately sized website. The results of the automatic scan will indicate the exact area of code where security flaws were found and provide insight as to what needs to be changed in that area.
Even better, after the code is remediated, the same scan can be run a second time to make sure the flaw has been fixed and no additional problems have been introduced. While there is some effort involved with setting up and interpreting the results of a web vulnerability scan, the real work is done in the background with little intervention. When it comes to risk/cost trade off, the cost of web vulnerability scan is minimal compared to the results that are reported.
If it’s been a while since you’ve had your website scanned, 403 Web Security can help. Visit our website to sign-up for a free website vulnerability review.
Have you had your website scanned? Were you surprised by the results? Share your stories with us by leaving a comment!