I have found that there are several website owners and hosting companies that are either misinformed or a little confused about the differences between PCI Scanning, Vulnerability Scanning, and a Penetration Test. Because PCI scanning is required for websites to be compliant with the Payment Card Industry (PCI), it's important that those responsible for PCI compliance understand the differences. Acunetix Vulnerability Scanners will help.
All validation for security purposes must be carried out within the server side script and not thorough client side authentication - such as JavaScript - as it can easily be bypassed by the user disabling JavaScript in their browser. When dealing with a numeric input, such as age, telephone number or credit/debit card number the value of the variable should be processed through a specially constructed function to ensure that the data only comprises of numeric characters (and possibly spaces). Similar functions can be constructed to handle other data types such as Dates, Integers and Floats. Alternatively, for some numeric fields such as integers or dates the input method could be through the use of a drop-down selection box. If the input is selected from a dropdown box it would be generated by the source code and no validation will be necessary.
A Penetration Test is often times conducted after the vulnerability scan. A penetration test attempts to exploit one or more of the vulnerabilities identified during the vulnerability scan. A penetration test attempts to verify if an identified vulnerability is actually susceptible to being exploited."A PCI Scan is a vulnerability scan that includes not only a report of the potential ways that hackers could use to gain access to the website, but it also outlines a solution for repairing or removing the vulnerability. If you run it, and there are no security issues, a penetration test is not necessary.
Changing Trends in What Motivates Hackers According to Zone-H, the top 50 attackers defaced a total of approximately 2.5 million websites all over the globe. According to the CSI/FBI Computer Crime and Security Survey 2005, one of the most dramatic findings was the exponential increase in website defacement experienced by their respondents: in 2004, 5% of the respondents experienced defacement while in 2005 that figure went up to 95%.
One line of defense includes the Restriction of Error Messages. Error messages are normally generated in HTML which an attacker will be able to view. The details of all error messages should be logged in database or file on the server and displayed through a dynamically produced error page. It is important to have the proper website security when you have your own business online. Using a vulnerability scanner is a smart idea. Don't forget to have your site scanned with an Acunetix Vulnerability Scanner.
All validation for security purposes must be carried out within the server side script and not thorough client side authentication - such as JavaScript - as it can easily be bypassed by the user disabling JavaScript in their browser. When dealing with a numeric input, such as age, telephone number or credit/debit card number the value of the variable should be processed through a specially constructed function to ensure that the data only comprises of numeric characters (and possibly spaces). Similar functions can be constructed to handle other data types such as Dates, Integers and Floats. Alternatively, for some numeric fields such as integers or dates the input method could be through the use of a drop-down selection box. If the input is selected from a dropdown box it would be generated by the source code and no validation will be necessary.
A Penetration Test is often times conducted after the vulnerability scan. A penetration test attempts to exploit one or more of the vulnerabilities identified during the vulnerability scan. A penetration test attempts to verify if an identified vulnerability is actually susceptible to being exploited."A PCI Scan is a vulnerability scan that includes not only a report of the potential ways that hackers could use to gain access to the website, but it also outlines a solution for repairing or removing the vulnerability. If you run it, and there are no security issues, a penetration test is not necessary.
Changing Trends in What Motivates Hackers According to Zone-H, the top 50 attackers defaced a total of approximately 2.5 million websites all over the globe. According to the CSI/FBI Computer Crime and Security Survey 2005, one of the most dramatic findings was the exponential increase in website defacement experienced by their respondents: in 2004, 5% of the respondents experienced defacement while in 2005 that figure went up to 95%.
One line of defense includes the Restriction of Error Messages. Error messages are normally generated in HTML which an attacker will be able to view. The details of all error messages should be logged in database or file on the server and displayed through a dynamically produced error page. It is important to have the proper website security when you have your own business online. Using a vulnerability scanner is a smart idea. Don't forget to have your site scanned with an Acunetix Vulnerability Scanner.
About the Author:
Want to find out more about Acunetix, then visit Kate Bailey's site on how to choose the best Acunetix Vulnerability Scanner for your needs.
No comments:
Post a Comment