|
Security Assessment for E-Commerce Site |
Web Application
Vulnerability Analysis
by RTTS.
|
|
E-Commerce |
|
An e-commerce firm organizes its product data, distributors,
and Original Equipment Manufacturer’s (OEM) information to
provide an online searchable database. The goal is to
provide efficient data access to both member distributors
and member OEM’s. |
|
Like all e-commerce sites, this web application contained
sensitive user and site data. Because of the nature of
the data, the company was concerned about security and
wanted to prevent a security breach. A security assessment was requested
to determine site vulnerabilities on the live production
environment. |
|
Implement a security assessment utilizing an industry
standard automated security tool. This approach provides a
rapid evaluation of site vulnerabilities that will guide
remediation efforts on the production site. |
-
RTTS used a market
leading Web Application
Vulnerability Scanner to
scan the site for
vulnerabilities
-
Approximately 3,800
pages were requested per
scan and over 15,500
test attack variations
were performed.
-
Types of attacks
performed included SQL
Injection, Cross Site
Scripting,
Infrastructure analysis,
web server
configuration,
information leakage,
authorization,
authentication, and
more.
-
100% of the target pages
were scanned in each
run, while case data was
sampled in each run.
-
The production site was
still live during each
run.
Scan throughput on the
system was controlled
using a number of
mechanisms, including
the number of crawl
threads, and the
recursive look limit.
These parameters were
adjusted for an
overnight turn-around
time.
During the initial scan,
26 critical, 5 high, and
17 medium
vulnerabilities were
discovered across a
subset of pages (Figure
1). After an initial
remediation cycle, 8
critical, 8 high, and 29
medium vulnerabilities
remained. Scanning and
remediation were
continued until an
acceptable vulnerability
profile was obtained.
RTTS manually verified major vulnerability
categories to avoid
reporting false
positives to the
development team.
Figure 1. Initial Vulnerability Profile
During the remediation
cycles, the build
vulnerability was
monitored by severity
and Open Web Application
Security Project (OWASP)
Threat
Class as remediation
efforts continued by the
software development
team.
|
-
On web pages on the critical
path, about 2/3 of critical
and high severity
vulnerabilities were
eliminated during the
initial cycles.
-
The use of an automated
vulnerability scanning
increased testing coverage
and decreased testing time
to accommodate an overnight
turn-around time.
-
With RTTS executing scans on
an as-needed basis and
verifying results, the
software development team
was able to vet each build
at the same high level of
testing coverage. This
allowed build quality to be
compared between builds and
the vulnerability trend was
available to the whole team.
-
Automated vulnerability
analysis supported rapid
remediation efforts to
specific sections of the web
application.
-
Using a large sample size of
attacks as well as in-depth
crawling led to
high-confidence-interval
results.
|
|
|
|
|
|
