The World Wide Web offers exceptional convenience in the delivery of products and services to consumers and businesses. With an architecture that couples a front-end web site to a transaction server, logons, information, or payment requests can be processesd very quickly. The technologies most often used are a web server and an SQL server. That same technology is very vulnerable to information theft if it has not been installed, configured and maintained properly. In that case, corporate liabilities, both financial and legislative, client retention and loyalty and corporate survival become major issues.
WhiteHat has developed an ever evolving methodology to perform Web/SQL assessments. Evolving because new threats emerge almost every day.
This assessment may be performed on-site, or off-site, depending on client requirements and the ultimate goal of the testing, and provides a measure of the prevailing general state of security, based on:
- exploration of services running on the servers,
- determining the relative "hardening" of the OS and platforms,
- cataloging application-level behavior i.e., response to – malformed HTTP or HTTPS requests, SQL injection, etc.,
- Investigate external public Internet practices and configurations,
- Use both commercial and open source tools to identify any cross-site scripting or input parameter bounds checking deficiencies., and,
- Other proprietary diagnostics.
The benefit to a site operator, owner or stakeholder is knowing how the technology ranks with respect to best practices, standards and industry peers. This is an essential due diligence exercise.
