is an important part of maintaining your overall security posture. As part of
that process, web application vulnerability scanners play a crucial role in
that they provide an efficient and effective method of exposing vulnerabilities
and helping to keep your application online and secure.
role in the process of web application security, it’s easy to forget
that there are many other elements of security that also deserve your
important security elements that are often overlooked — both in terms of the
application itself as well as the infrastructure.
the foundation. As important as it is to eliminate web application vulnerabilities, efforts may be wasted in the
event that your application resides on an insecure web server, or you’re running insecure software, as what happened in theinfamous Mossack Fonseca and Panama papers leak.
server other than to point out a few of the obvious ways that you can harden
your security. However, as an example, if you’re running a popular open source
option like LAMP stack, there are some straightforward actions you can take
Make sure you are running the latest version of Apache
Disable any unused or unnecessary modules
Prevent the version number, operating system and
installed modules from being displayed
Disable/Prevent directory browsing
Limit the total HTTP request size to reduce the
probability of a DDoS Attack
Enabling Apache Logging
reduce your overall exposure including:
Eliminating remote access or at the very least,
restricting remote access to a limited number of IP’s and users
Using a separate environment for development, testing
and production. Amazon EC2 makes the process of setting up temporary testing
and development environments relatively simple which limits access to your
from your server admin or system engineer.
principle of least privilege (POLP). POLP states that each individual user
should have their access limited to the minimal level required complete their
necessary tasks. The same rule applies to web applications — assign the minimal
level of permissions required for normal functioning.
of different levels — including the server, database and software level. For
example, if you are running WordPress, full administrator privileges is
something that should be restricted to very few users. Even at the
administrator level, there are certain functions that can be disabled in order
to further harden security. Read the Principle of Least Privileges for WordPress
for more specific information on POLP on WordPress.
it’s important to keep all of your software up to date. We can approach this
from two angles:
on the current version. This is an issue we see frequently on platforms like
running version 3.9 or older.
library is out of date but also which vulnerabilities are associated with your
up to date. If you are using a desktop based scanner, make sure you’re using a
version with the most recently updated vulnerability library — cloud-based
vulnerability scanners will be automatically updated.
the process of monitoring and logging user activity. Web
application logs provide a multitude of benefits. The most important of which
is the ability to help improve your web application security.
determining when an attack might be underway. Even though only a very small
percentage of users are malicious, logging can help to identify those users and
block them from taking any further action.
your web application might be vulnerable or for identifying potential misuse.
If you are able to identify, track, record and alert administrators of
suspicious activity, it is often possible to make changes to your application
before an attack occurs or even halt a malicious user before it becomes a major
There are many moving parts that need to be managed concurrently.
Unfortunately, the vast number of systems that require attention for even a
basic web application, often result in one aspect of security being overlooked.
the technical aspects of security — scanning for and patching web application vulnerabilities.
However equally important is the ability to manage the most obvious elements
that are often the source of our problems. This includes things such as web
server security, limiting user privileges, properly maintaining software and
being aware of how users are interacting with your application. Your web
application security posture is only as strong as the weakest link.