2Q report by IBM X-Force, 23% of websites vulnerable.

CSRF or Cross Site Request forgery is the highest likely method of attack

Broken Authentication is second

And cross-site scripting(XSS) is third

SQL Injection as well as security misconfigurations are also higher than 10% of he vulnerability types.

 

OWASPvsIBM

The IBM report at X-Force blog  recounts the challenges a web application scanner has as to when and what to scan.

 

As one has to be careful with how to scan production systems.  If not done well, a vulnerability may not be exposed or a production system may have ill effects.

 

We are aware of this in our product offerings.

Scan Solutions at Oversitesentry

 

Pentesting – what is it actually?

serverinfrastructurePenetration testing are several acts on various computers and systems.

 

First in “recon”  one checks the public profile of the company.

Use scan tools, nmap, hping, scapy, burp suite,  and others to check the target computers out.  (this is the Alpha scan)

 

Then one can use a few pre-built tools to review vulnerabilities like Nessus, maltegoo, Metasploit or Armitage(a good GUI to Metasploit), OWASP and Tshark/Wireshark are also good tools to review what is going on in the network.  (Sigma scan)

 

Each tool can be used to further your knowledge of the network, or to find out more about how to investigate/exploit the systems.

 

Little by little a dossier is created with more and more information compiled.

 

Then at some point the pentester may also use some Social engineering.  (custom scan – Omega scan)

 

Here is where the custom portion of a pentest occurs.

Incidentally the process of pentest “almost” mirrors the hackers methods.