Case Study

Security Assessment For E-Commerce Site

Background

An e‑commerce firm organizes its product data, distributors, and Original Equipment Manufacturer’s (OEM) information to provide an online searchable database. The goal is to provide efficient data access to both member distributors and member OEM’s

Challenges

Like all e‑commerce sites, this web application contained sensitive user and site data. Because of the nature of the data, the company was concerned about security and wanted to prevent a security breach. A security assessment was requested to determine site vulnerabilities on the live production environment.

Strategy

Implement a security assessment utilizing an industry standard automated security tool. This approach provides a rapid evaluation of site vulnerabilities that will guide remediation efforts on the production site.

Solution

  • RTTS used a market leading Web Application Vulnerability Scanner to scan the site for vulnerabilities
  • Approximately 3,800 pages were requested per scan and over 15,500 test attack variations were performed.
  • Types of attacks performed included SQL Injection, Cross Site Scripting, Infrastructure analysis, web server configuration, information leakage, authorization, authentication, and more.
  • 100% of the target pages were scanned in each run, while case data was sampled in each run.
  • The production site was still live during each run.

Scan throughput on the system was controlled using a number of mechanisms, including the number of crawl threads, and the recursive look limit. These parameters were adjusted for an overnight turn-around time.

During the initial scan, 26 critical, 5 high, and 17 medium vulnerabilities were discovered across a subset of pages (Figure 1). After an initial remediation cycle, 8 critical, 8 high, and 29 medium vulnerabilities remained. Scanning and remediation were continued until an acceptable vulnerability profile was obtained.

RTTS manually verified major vulnerability categories to avoid reporting false positives to the development team.

Vulnerabilities

Figure 1. Initial Vulnerability Profile

During the remediation cycles, the build vulnerability was monitored by severity and Open Web Application Security Project (OWASP) Threat Class as remediation efforts continued by the software development team.

Benefits

  • On web pages on the critical path, about 2/3 of critical and high severity vulnerabilities were eliminated during the initial cycles.
  • The use of an automated vulnerability scanning increased testing coverage and decreased testing time to accommodate an overnight turn-around time.
  • With RTTS executing scans on an as-needed basis and verifying results, the software development team was able to vet each build at the same high level of testing coverage. This allowed build quality to be compared between builds and the vulnerability trend was available to the whole team.
  • Automated vulnerability analysis supported rapid remediation efforts to specific sections of the web application.
  • Using a large sample size of attacks as well as in-depth crawling led to high-confidence-interval results.