Do you trust you vulnerability assessment?
Web applications rely on server to bring users services. You read this blog and you take care of your web application security very seriously. Maybe you have also web application firewalls in front of it to face-off first time attackers.
But, what about your server security? Do you take care of it? And if you are a smart guy running vulnerability assessments on a regular schedule, other people do you trust your work?
Some key principles
In my experience I found that setting up scheduled scans, can help people in raising the server security level. Like having strong basements, having a well configured server is the first step in the application security process.
A minimal set of feature your #va workflow must have is:
- you use a vulnerability assessment tool that is regularly updated by the vendor. At least once per week
- your tool have a safe checks only feature you really want to enable
- you can specify a local machine user account to perform whitebox tests
- at least one time at month you create a detailed analysis of your assets vulnerabilities, trying to figure it out the most important security hole out there
Performing whitebox test is the most important feature in the list. This leads you in connecting to the machine and actually see the exact library/third party program version installed; such information is important for your tool to look into its knowledge base and to give you detailed results instead of false positive issues.
And the fault is made by…
Sometimes, once or twice in a month, clueless sysadmins prompts you telling:
"hey stop scanning my machine. Your f%%%ing security checks made my service to stop.
the clueless sysadmin
Badly written software happens. Even in commercial software and even more frequently when vendor’s salesmen pretending them to be unbreakable or 100% secure or to take your cloud experience to the next level.
If a salesman bloates every sentence with one or more of the following: total security, cloud, enterprise than its software may not well designed at all.
Let’s say your company just installed a commercial software for HR. Let’s say your company pay a lot of money for that. Let’s say the salesman uses one of the aforementioned words. Maybe you will receive a call in the very early morning saying you caused a fault because you made that software to crash.
This my vademecum:
- keep calm and breath (at least for a minute after you read that mail or the other people stopped complaining at the phone)
- repeat your self you want to stay in peace with the world
- make your voice (or your typos) clear and explain that you configured your scanner in a safe mode so no exploit attempt has been performed
- ask for the logs and being as more as proactive as you can
- take yourself some time to investigate the problem and then go for a walk to reduce stress.
A lot of time, commercial and expensive tools, are so badly designed that even in 2013 during vulnerability assessment fingerprint phase they crash because they cannot handle unexpected conditions.
Let’s say a server is listening to port 5555 accepting commands on HTTP. If a tool, fingerprint it using SMTP just for sake of detecting a mail server, your expensive money tool must gracefully fail on unexpected conditions.
If your expensive software crashed when taking care about unexpected input values, it’s that software problem not the vulnerability assessment tests. Period.
However a lot of clueless salesmen (but also self-called technical people) simply don’t want to be bothered in troubleshooting details. The easiest solution is stopping the offending test rather than finding the bad piece of code and fixing it, isn’t it?!?
Off by one
Be prepared. You will find a lot of badly written software and often people will say it’s your fault.
Keep calm, and be prepared.