It doesn’t matter if the application is “behind the firewall”. It doesn’t matter if it uses SSL for encryption. And it doesn’t matter if all the software in use is patched with the latest hotfixes or service packs. The problems are at the application level and they’re still there regardless of how hardened the environment is.
I bring this up because it’s so easy for business managers to Web-enable anything and everything to woo their clients/customers. I’m seeing these types of Web vulnerabilities more and more. Business apps are cropping up on the Internet more and more – especially in the legal field. A lot of them are not being tested for security vulnerabilities in the slightest way. OK, some are being scanned with whatever freeware security scanner the network admin is familiar with, but that’s not enough – not even close! Commercial OS and Web application scanners – and more importantly – manual testing is required to really figure out how Web portals such as this can be exploited.
There are so many complexities and variables in Web applications which, again, is one of the reasons I love testing software (see my related post on this). If you’ve got a law firm extranet or some other type of Web portal housing information you can’t afford to have compromised, you’ve got to look at the environment from a malicious attacker’s perspective. Test and test again – now and as long as the system is publicly-accessible. The Web application flaws will eventually be found by someone – might as well be you!
“A business associate referred our company to Principle Logic when we were seeking a resource to perform vulnerability /penetration testing for our external and internal networks. We found Kevin Beaver to be professional, well informed, and easy to work with. His testing did not disrupt our networks, and his progress updates were timely.
His final report was very thorough and included security recommendations for our network environment. The executive leadership was so impressed with Kevin’s security expertise, they have extended their agreement to continue to perform periodic testing. We highly recommend Kevin Beaver and Principle Logic as a resource for network security testing.”