I've been in the web business since sometime around late 1995. I started writing "code" at that time just like everyone else did -- HTML. . . ONLY. Those were the days of simple web pages with no background and seldom images. It was all about content and how it was organized. In those days it didn't seem like there was any need for real security or even what real security meant for web servers. At that time, it was rare to hear anything about systems being hacked, stealing company information, secrets, credit card numbers, personal information or defacing public facing company portals. Even less were reports of DoS attacks or other debilitating web server attacks/hacks.
The climate on the Internet has has most certainly changed since those days. The proliferation of hacking groups to conduct their activities less for educational purposes and more for disruption of services or to push an agenda of some sort has grown worldwide over the last 20 years or so to include countries all over the world. In countries like China, Russia, North Korea, parts of Eastern Europe and Africa, there are hackers actively working on "0-day" hacks and exploits and writing infiltration code to break into your servers or even home computers. A New York Times article from 2010 (referenced here) meets and talks to a young college graduate in China using hacking for "Fun" and "Profit".
As development practices have morphed into more advanced programming languages with complexities of modern non-web applications using many flavors of web and database platforms and a variety of supplemental frameworks, developers are exposed to challenges in proactively coding against a plethora of readily known hacks and exploits not only in their code but in their web server infrastructure.
It nearly takes a specialist in web security to assure you're doing all you can to protect yourself or the company your work for from exploited web pages, data loss, an embarrassing bout of public humiliation from a defaced web portal, or worse, stolen customer data.
It's worth the research to get your servers set up correctly before moving them to the production environment. No matter which operating system you are working with, there are exploits for any software or server that you run out of the box. It's up to you to fix those exploits and close those holes before you go live. If you're lucky, you have a large team of people in your technology division and hopefully one of them has the experience to handle this task. Chances are, the developer is the administrator as is the case in most small modern companies.
So, how do you get a handle on it? Where can you go for help?
Setting up your web servers to handle these exploits out of the box is a little out of the scope of this article. You will have to do that research on your own. Search your favorite search engine for your operating system, programming platforms, database platforms, programming languages and keywords like exploit, hacks, or vulnerability.
Now, you have everything set up, you're secure, you even closed the easy ones to forget like Remote Desktop Access, open VNC services, allowing access to view folders on the web server or not keeping your operating patches up-to-date. You're done! Not so fast...
Is that how it works? You do a great job setting everything up and you're the hero because you managed to get the local florist's WordPress site SQL injection free. Today.
You have to keep up with it. Every day new exploits are discovered. Some are published, some are not. The big boys like Adobe, Microsoft, apache and others have people in the field monitoring the hacker chatter reporting back what they find to the development teams for the platform developers to try and get bugs fixed as soon as possible. But, if you never install their updates or don't even know there is something that can be exploited on your server, you're wide open to the world.
I keep an eye on a site like Exploits DB (found here: http://www.exploit-db.com/) to get info about what the trends are and what's being actively exploited. The site uses Google's web server profiling capabilities to assist in identification of exploits. It's a fairly interesting read without going too deep into the hacker community. Even with information sources like that, you still have to scan your sites to determine if they are going to be a problem for you.
How To Stay Ahead
- Acunetix Vulnerability Scanner (http://www.acunetix.com/vulnerability-scanner/)
- Nikto2 (http://cirt.net/nikto2)
Here's a list of some web-based solutions
- ScanMyServer.com (http://www.scanmyserver.com/)
- Wormly Web Security Scan (https://www.wormly.com/web_server_security_scan) [Currently Down]
Over the years I have used so many online scanners. So many, in fac,t that I couldn't even tell you the names of them all. The first one in my list, ScanMyServer.com, is kind of a stand-out in my mind. It's not overly flashy in appearance, but the job that it does is excellent. When it comes to scanning technology, I don't so much care what it looks like but the information that it gives needs to be verbose and accurate. I found that after using the ScanMyServer.com web application for over a year, the timeliness of the scanning and the information it provided was extremely useful giving me not only what the exploits were but links to reporting on the exploits themselves and how to fix them. At first, I didn't know that ScanMyServer was from the people at Beyond Security. I've always respected their products as being accurate and not throwing a lot of false-positives at you. Their scanning system was exactly what I needed so I could spend more time with my family and less with the cold hum of the server room.
Feel free to comment and ask questions.