Hack Your Website First Before Hackers Do. Beat Them at Their Game
~
lundi 11 juillet 2016
Libellés :
Editorial
,
EH Security
In recent years, website and web application release cycles have become increasingly short. Initially, these short release cycles were a result of companies attempting to remain competitive — offering more feature-rich applications and responding to consumers demands more quickly.
As a result, end-users have largely been conditioned to expect a continual flow of updates and new releases — companies have gone so far as to publish software development roadmaps so their customers can be kept apprised of what to expect in the immediate and near-term releases.
While short release cycles and frequent updates are often seen as a positive, there is also a dark side that needs to be considered. One of the first causalities in the “race to release” is web application security. In an attempt to launch websites and ship web applications as efficiently as possible, security has become an afterthought.
Despite the risks associated with a potential security breach (something we covered in this post), web application security often takes a backseat to revenue, profit and customer satisfaction. Given that a 100% secure web application is an impossibility, that might seem like a reasonable approach. After all, security is rarely considered an issue until it’s too late.
One potential solution to this problem is to spend time looking at your website or web application from the perspective of a hacker — in essence, figure out how to hack your website before someone else does.
The Hacker’s Mentality: Why And How?
There is a saying (concept) that floats around web application security circles called “Hack Your Website First”. The idea behind this saying is one which promotes a more proactive approach to security. As we mentioned in the opening paragraphs, web application security is often an afterthought — that is, until an application is hacked. Of course, by then it’s usually too late. The damage has been done.
“Hack your website first” seeks to develop the mindset in which developers and security professionals actively seek out potential vulnerabilities in web applications the same ways that a hacker would. It’s an approach that makes a lot of sense — if you can learn to think like the enemy, you stand a much greater chance of defeating them.
Ask yourself: How would your overall security posture improve if you were to take a day or two away from the development process and look for ways to hack your website or web application?
Think Like a Hacker
Often, two of the most significant obstacles when it comes to managing web application security is understanding:
1. Which are the primary vulnerabilities that hackers are looking to exploit?
2. What tools and techniques are they using to not only find but exploit those vulnerabilities?
Understanding which vulnerabilities are most commonly exploited is the first step in learning to think like a hacker. The most commonly exploited vulnerabilities are those of the technical variety. For example, cross-site scripting (XSS), SQL Injection and command injection.
Obviously, logical vulnerabilities should also be an important consideration. But in reality, they are often less susceptible to attack simply because they are more time intensive to exploit and require a greater level of expertise.
If you are someone who finds analogies to be useful, look at securing technical vulnerabilities as the equivalent of locking all the doors and windows on the ground floor of your house before going to bed. Logical vulnerabilities, on the other hand, are more in line with a burglar setting up a step-ladder, climbing on the roof of your home and looking for an open skylight. It’s possible but less likely to happen. You can read the differences between technical and logical web applicationvulnerabilities for more detailed information.
Act Like a Hacker
Hackers are people too. That means that they have all the traits and tendencies of developers and programmers. If there is an easier or more proficient way of completing a task, they’ll take advantage of it.
While you may be inclined to think that hackers spend hours on end searching for vulnerabilities but they’re smarter than that. More often than not, hackers are using automated tools and scripts to find and exploit vulnerabilities. Tools like sqlmap, sqlninja, Canvas, BruteXSS and Core Impact are often used in the process of identifying and exploiting vulnerabilities. These tools reduce the amount of time and effort that hackers need to expend and vastly increase their reach.
If you think that your web application is unlikely to be a target of hacking, think again. The target itself is rarely relevant. Hackers are looking for access to your server resources and bandwidth. If you pay for it, hackers are happy to take it from you.
If you’re going to put forth an honest attempt to hack your websites or web applications, you’ll need to employ tools and techniques that are similar to the hackers. Using an automated web scanner is one of the best (and easiest) ways to scan one or even hundreds of websites and web applications.
Using the right tools also means that once a vulnerability is identified, the process of remediation should be largely automated. Flagging the vulnerability, assigning it to a developer for patching, re-testing and reporting can all be automated by a capable web application vulnerability scanner.
Know Thy Enemy (Hackers)
In The Art of War, Sun Tzu stated that “If you know the enemy and know yourself, you need not fear the result of a hundred battles”.
By learning to hack your website or web application first, you'll develop an intimate knowledge of the tools, vulnerabilities and exploits that are often used by hackers.
Staying ahead of hackers and eliminating all web vulnerabilitiesbefore they can be exploited can prove to be a challenging task. To a large extent, one of the most effective ways of reducing potential attack vectors is by being proactive - Think and act like a hacker to beat them at their own game.
Articles
0 commentaires :
Enregistrer un commentaire