WEBSITE SECURITY

The importance of web application scanning
Organizations need a Web application scanning solution that can scan for security loopholes in Web-based applications to prevent would-be hackers from gaining unauthorized access to corporate information and data. Web applications are proving to be the weakest link in overall corporate security, even though companies have left no stone unturned in installing the better-known network security and anti-virus solutions. Quick to take advantage of this vulnerability, hackers have now begun to use Web applications as a platform for gaining access to corporate data; consequently the regular use of a web application scanner is essential.

Web Applications Are Easy to Hack
The hacker’s life has become tougher in recent days. Thanks to various intrusion detection and defense mechanisms developed by network security companies, it is no longer easy to breach security perimeters and gain unauthorized access to an organization’s network.
Today, firewalls, security scanners and antivirus software protect almost all corporate networks. Hemmed in by such constraints, hackers have been researching alternate ways to breach the security infrastructure.


Unfortunately, hackers have been successful in finding a gaping hole in the corporate security infrastructure, one of which organizations were previously unaware – Web applications. By design, Web applications are publicly available on the Internet, 24/7. This provides hackers with easy access and allows almost unlimited attempts to hack applications that have not been identified by webmasters as vulnerable through the use of a web application scanning solution.

What is a Web Application?

Picture
A Web application is an application that resides on a company’s Web server, which any authorized user can access over a network, such as the World Wide Web or an Intranet.

A Web application is a three-layered application. Normally, the first layer would be a Web browser, the second would be a content generation technology tool such as Java servlets or ASP (Active Server Pages), and the third layer would be the company database.
The Web browser makes the initial request to the middle layer, which, in turn, accesses the database to perform the requested task, either by retrieving information from the database, or by updating it.

Since Web applications reside on a server, they can be updated and modified at any time without any distribution or installation of software on the client’s machines – the main reason for the widespread adoption of Web applications in today’s organizations.
Examples of Web applications include shopping carts, forms, login pages, dynamic content, discussion boards and blogs.

Hackers’ Favorite Web Attack Modes 

  • SQL injection:  The hacker transmits SQL query commands to the database residing on the server via the Web application. This is done in two ways: SQL commands are entered in form fields on the webpage, or SQL queries are inserted into required input parameters. Thus, the hacker is able to run SQL queries and commands on the server.
  • Cross-site scripting:  The hacker inserts malicious data into a dynamic webpage. Websites that include only static web-pages have control over user interaction because a static webpage is a “read-only” page that does not permit user interaction. Therefore, a would-be hacker can only view the page without being able to cause any damage. However, a dynamic webpage is open to user interaction, so a hacker can insert hazardous content without the website or Web application being able to differentiate this content from innocuous content. The key to the CSS vulnerability is that a hacker can cause the actual Web server to send a webpage with malicious content to the unsuspecting user. The hacker can then transfer the user’s input to another server.

B. The Solution: Appin Website Security
Appin Website Security is the most comprehensive service for technical auditing, risk/gap analysis and patching. Appin Radar the primary tool used for auditing is featured which enables a comprehensive remote audit for Vulnerability assessment and patch management.

With multiple access points companies are regularly facing threats from hacking attacks – Both internally as well as externally. We will do a comprehensive security audit of your web applications, intranet applications and websites. The advantages for the same are:

  •  Vulnerability Assessment tools for Application and Websites
  • Penetration testing based on manual testing and selected proprietary open source tools.
  • Comprehensive Reporting and Patching suggestions
  • Interactive module for reporting false positives
  • Third-party audits by CERT-In empanelled security auditors meet government and industry compliance standards
  • Accurate and up-to-date vulnerability knowledge base that helps in technical risk assessment as per international standards such as OWASP, SANS top 20, ISO27001 etc
  • Closing all window of opportunity for intruders
  • The only company in India to have its own tools, delivery system for Vulnerability Assessment, Penetration Testing and Patching integrated as one system known as Appin Radar(patent pending)

They are also specific to the application(s) being tested for vulnerabilities. The process followed is as defined:

Picture
  • Audit
              Information Gathering
              Vulnerability Assessment & Penetration Testing
  • Report
              Risk Assessment
              Comprehensive Reporting with      Management/Technical  Reports
  • Secure 
                Patching Vulnerabilities
                        

Picture
Team Profile
The team will consist of engineers with specialization in Information Security. The technical security auditing team will have certified people in famous security certifications like CISSP, CEH, SANS GSEC, MASE and have done audit for various data centers.
• Low Risks should be noted and implemented at a later date, but do not pose a real threat to the application, network and connected systems.
• Appin will issue a Draft report of the findings that shall include details such as, Ref #, Issue detail, risk level (High, Medium or Low), classification (infrastructure / application), risk, suggested remedy measures, corrective actions performed, retest details and final status, etc.,