Security - Check: Preventing is the best strategy

Why is a Security-Check recommendable?

As security gaps in your web application may affect critical – even existence-endangering – on your company, a Security-Check is advisable. Critical means that offenders might use these gaps to spy out, manipulate or corrupt data or even attain the control over the server. For instance, personal user data could be stolen due to a SQL Injection security, any user could log-in without a password or a “back-door” on the server could be opened, probably to obtain access to the internal corporate network.

Who is affected?

According to security experts, approx .70% to 90% of all web applications (e.g. web-shops, online-katalogs or portals) contain critical security gaps. In the resent past, also Microsoft, Google, MySpace, T-Mobile and the United Nations belonged to the thousands of companies and institutions whose web applications had critical security gaps.

What is checked with the Security-Check?

Each Security-Check will be individually planned and talked over with you and adapted according to your wishes and requirements. Normally it is checked if the web applications have security gaps and if the used webserver-software (e.g. Apache) and the used web technology (e.g. PHP) contain familiar security gaps. In detail, e.g. the following can be checked:

• Cross-Site Scripting (XSS) – Do weak points enable the execution of a foreign code on the user`s system?
• SQL Injection – Can database queries be manipulated and can thus even system instructions be executed?
• Does the used version of the server software have familiar security gaps?
• Does the used version of the web technology or of the framework have familiar security gaps?
• Directory Listings – Can the (possibly sensitive) content of schedules be listed?
• Are data and schedules, which contain sensitive information, available and examinable?
• Is the web application "too communicative", that means: do provoked error messages deliver interesting information for potential offenders?
• Code Injection: Are there any positions in which a code - that could be executed on the server - can be infiltrated?
• Redirection security gaps: Are there any positions where any URL can be passed as parameter that could than be loaded?
• Email-injection: Are there any positions which a spammer could use for e-mailing?
• Are there any publicly available, sensitive information about the application (so-called “Google Hacking", e.g. cached pages with significant error messages)?
• Script Source Code Disclosure – Is it possible to disclose the source which eventually contains sensitive information such as database passwords?
• On request it is also able to check if used passwords of certain accounts are secure.

In addition to that, also a Code Review can be executed. In this case, the source code of the web application will be checked on security gaps directly.

Who effects the Security-Check?

Johannes Fahrenkrug is an expert developer of web applications in Java, Ruby, Python and PHP and is well verved in this matter. He has been active in web application-security for ages and, among others, also advised the following companies:

• Google (http://www.google.com/corporate/security.html)
• Apple (http://support.apple.com/kb/HT1318)
• Real Networks (http://service.real.com/realplayer/security/web/20050415_myaccount/en/)
• Oracle (http://www.securityfocus.com/bid/20588)

Please find additional references under http://www.linkedin.com/in/jfahrenkrug

For detailed information please contact:

Marco Escher
+49 8551 9150 79
hosting@thomas-krenn.com

or make use of our inquiry form.