It is nice to see some conversation around the topic of web security and specifically SQL injection. I mentioned months ago now this is the most critical security problem that most IT organizations currently face. Most of you have already been hit with SQL injection and it is luck of the draw whether your system is already compromised or not. Most organizations are still relying simply on perimeter firewalls and host based anti-virus and neither of these will protect you. I have done over 10 investigations of web compromises, because of SQL injection, in which most companies had been compromised for more than 6 months before *accidently* discovering the compromise.
There are a few options: * Send developers to secure coding courses and hope they retain the information and will not make mistakes in the future. * Buy a *web* specific vulnerability assessment scanner such as: Retina Web Security Scanner http://www.eeye.com/html/products/RetinaWebScanner/index.html Acunetix http://www.acunetix.com/vulnerability-scanner/ HP WebInspect https://h10078.www1.hp.com/cda/hpms/display/main/hpms_content.jsp?zn=bto&cp= 1-11-201-200%5E9570_4000_100__ Cenzic https://www.cenzic.com/ IBM Rational AppScan http://www-01.ibm.com/software/awdtools/appscan/ * Hire a consulting company to perform regular scans and assessments using MORE than traditional VA tools The DigiTrust Group http://www.digitrustgroup.com/assessment.html#webapp WhiteHat Security http://www.whitehatsec.com/home/index.html * Buy a WAF Web Application Firewall and find time to manage it yourself Breach WebDefend http://www.breach.com/ Imperva http://www.imperva.com/ * WAF Web App Security Managed Security Services, have someone else manage the hassle of keeping your site secure from attacks including SQL injection. Notifications of not just blocked attacks and fine tuned configuration but also any defects stemming from specific code failures so that your developers can remediate and learn from the process. http://www.digitrustgroup.com/managed.html#web A few things that will NOT protect you from SQL injection: * Using only traditional vulnerability assessment software * Performing server configuration hardening * Telling your admins to simply read SANS or OWASP * Any of those lame "site protected/site scanned by X" type certifications, most are only looking for known web vulns (which traditional vulnerability assessment software will fine) however they do not find custom coded web sql injection bugs. ------------- Marc Maiffret Director of Professional Services The DigiTrust Group, LLC. 5757 W. Century Blvd, Ste. 700 Los Angeles, CA 90045 p: 310.348.2901 f: 310.469.0103 w: http://www.thedigitrustgroup.com > -----Original Message----- > From: Oliver Marshall [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 25, 2008 5:19 AM > To: NT System Admin Issues > Subject: Website security checking service > > Hi chaps, > > Can anyone recommend a website checking service that will check > websites on a regular basis for security issues and report back ? One > of our clients suffered an SQL injection attack this week, and on their > new rebuilt server they are keen to get some element of reporting as to > when any possible issues may be presented to visitors, or to be made > aware as to when flaws are found in the sites. The sites change > regularly and multiple teams work on any one site so a site that was > once tight-as-a-nut may, the next week, be made in-secure by the action > of another team. > > Olly > -- > G2 Support > Email: [EMAIL PROTECTED] > Web: http://www.g2support.com <http://www.g2support.com> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
