Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change
 
PerlMonks  

Re: Web Application Security Vulnerability testing

by sundialsvc4 (Monsignor)
on Nov 05, 2012 at 21:25 UTC ( #1002388=note: print w/ replies, xml ) Need Help??


in reply to Web Application Security Vulnerability testing

Security is never a “product.”   It is a process.   Therefore, no security-testing “product, alone” would have any meaning, even if you did find one.   (And of course, you can.   Snake-oil sells well.)

Having said all that, I do have a few idle thoughts about what I'd consider to be things that you should keep in mind with regard to the security of your Perl-based web site:

  1. Your Perl version, and your web-site software whatever it is, should be kept up-to-date.   This allows you to keep abreast of the updates that are from time to time provided by the various software suppliers.   Keep abreast of discussions that happen right here.
  2. Most intrusions into a web-site are actually “out-of-band.”   No one penetrated the defenses of the web-site:   they went around it, just as the Germans defeated the Maginot Line by rendering it obsolete.   Therefore, pay most attention to the operating-system environment, to the integrity of your shared-hosting vendor, and to thoroughly hardening your dedicated-host environment.   (For example, if you are using a “convenient” tool like Plesk, you are most-likely already $DEAD $BEEF, and don’t blame Perl for that.)
    • Somehow, this quote from the above-referenced Wikipedia article seems especially apropos:   “Generals always fight the last war, especially if they have won it.”
  3. The coding practices of your entire system must be such that a Bobby Tables attack cannot by any means be mounted.   No “magic tool” on the planet can help you with this:   either your code is invulnerable to it by design, or you are $DEAD $BEEF and the entire world (except you, fool) already knows about it .
  4. “Security” of a web-site is the kid-brother of “Total Reliability.”   It is completely astonishing to me how many production web-sites are out there which I can drop into 500 Internal Error just by innocently selecting a particular menu-option or pressing a particular button that the programmer did not bother to test.   (Quite literally, only one path through the application has ever been swept for mines.   No wonder the customers are unhappy.)   There are plenty of tools such as Selenium by which a thorough front-end functionality test can be built and automated, and even driven using Perl.   (There are, at this writing, 45 hits for “Selenium” at http://search.cpan.org.)   But it is very, very rarely done.
    • More than one time this year, I have been morally and pragmatically obliged to say to a (potential) client:   “Well, sir, before we can discuss enhancements to your web-site, first we must stabilize it, because right now I can drop it on its a*s more-or-less at will..”   This is not always popular ... or profitable ... but of course I won’t pick-up a client (or wish to, for I would surely lose much money...) whose understanding of their true business condition is less than realistic.


Comment on Re: Web Application Security Vulnerability testing
Re^2: Web Application Security Vulnerability testing
by squimby (Acolyte) on Nov 08, 2012 at 00:20 UTC
    That's good advice, and we already do all this--controls for regular system updates, definitions updates, input sanitizing, firewalls, permissive IDS, user access controls, backups, a disaster recovery location, quality control procedures, and periodic reviews for everything mentioned above all controlled by 2 system admins who have combined more years experience than years I have walked this planet. To continue with the war analogy--we want to make sure we're secure within our gates/borders. I know this is in fact a process, and I'm wondering just what tools are out there to test scripts/code for vulnerabilities (XSS, injection attacks, etc.).

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1002388]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others romping around the Monastery: (2)
As of 2014-07-13 05:48 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    When choosing user names for websites, I prefer to use:








    Results (247 votes), past polls