Web application testing Methods start with Alpha

What is the first method used in evaluating a web application?

It starts with the Alpha test

How do you know the level of security with your website application?

1. A certain amount of testing must be started – our Alpha testing starts a security profile.

2. A Second level of testing is the Sigma (Σ) testing – which actually attempts to break the application.

In real estate  the motto is Location, Location, Location.

But in Information Security  it is Testing, Testing, Testing.

 

Security is doing all the little things – including testing

When one thinks about security, one should think about the little things that have to be done.

Patching systems, rebooting.

patching all the applications.

checking the Access control Lists for new apps and ports.

ensuring the web apps are checked not just for bugs, but insecurities.

And finally test – and check for open and incorrect configurations

PHP CGI Query String Parameter Processing Remote Code Execution

 

This vulnerability in PHP 5.3.12 and 5.4x before 5.4.2 when configured as a CGI script (php-cgi), a query which lacks and = sign will not be properly handled. So a remote attack may be possible.

And the problem will be that one will not know it is on the web server, unless one check for odd ports being open on the server.

Since after the PHP “bad code” it will cause more code to be opened and downloaded on the now infected machine.

http://www.qualys.com/research/sans-at-risk/2014/week-2/

Computers are managed by people – and thus mistakes get made.

We are all busy – the department is smaller, as we lost Jim, he retired. John was fired in the last layoffs. But what happened – we soldiered on. We have gotten new servers installed, systems retired taught the users a new program. It is as if we had Jim and John still here.

But we missed leaving a program on one of the servers which did not get patched. So now the program is vulnerable – and it is only as matter of time before a person interested in penetrating systems for fun or profit will abuse the system in ways unknown.

Incompetence – no unknown competence

how good are your sys admins?

are your programmers developing secure websites?

Get your systems scanned – you don’t know what is going on.  We can scan and review.

System admin goes to coffee shop

System admin Jim is sitting in a café getting his favorite cappuccino, while waiting for the drink to be prepared he flips open the notebook computer and goes to his favorite website – checking on sports and news.

Then of course checks his email with outlook on his desktop.

What he did not realize is that another person next door to the coffee shop has been listening in on the network sessions, and captured the network traffic. Since the outlook email transmits passwords in the clear (without encryption) the hacker was able to obtain the username and password of the system administrator at abc co.

The hacker now can log into the abc co server. After the hacker logs into the remote server he was able to access more systems and place software that will give him access to the company systems even after the sys admin changes his password.

We can check your systems for unknown software very easily and let you know what is going on.