All blog entries

Jentla Webinars

Intro to Jentla Webinars

Learn how Jentla will improve your web experiences. Presentations are by Damian Hickey, Jentla Founder. Register by clicking a date below:

Tues, May 3, 3:00 - 4:00 PM EDT

Mon, Jun 6, 3:00 - 4:00 PM EDT

Mon, Jul 4, 3:00 - 4:00 PM EDT

Webinars are run on USA EDT.
Read more...

Latest Blogs

Jentla Blog

Introducing McAfee penetration testing

Posted by: Ovidiu on Apr 28, 2011

Tagged in: security , joomla , jentla , certification

Managing WCMS vulnerabilties

The first step in securing a WCMS system involves knowing what threats your system is exposed to at all time:

What kind of internet attacks?
What kind of security vulnerabilities
What kind of software vulnerabilities
What effect would some actions have on the system
and so on...

Once you are aware of what you are facing, you must come up with a security system that helps you block or avoid these problems.

Ongoing effort

This is an ongoing job, after each change to your environments you must re-evaluate the security plan to include the new changes. The hardest thing is keeping up with all the new vulnerabilities/exploits that are found each day on the software packages you run your applications on (Apache, Mysql, Php, your operating system) and involves using a lot of time and resources testing your system for each of the new security leak and in solving them.

Also to do this involves having a great knowledge base about security and having time to remain updated about security exploits which is very difficult to impossible for individuals. it also involves spending a lot of money on a 3rd party company dedicated to this. If you're application isn't ubiquitous enough to support this type of cost you will end up in missing some security vulnerabilities and thus compromise your system.

Let's say you have the time and resources for keeping up with the latest security bulletins, how would you let others know that your system is secure and it's trust worthy for them to process sensible data on it?

A nice way to solve these issues it's by making periodical system audits from a software solution provider specializing in penetration testing and one who can give you a security certification to show your clients. One service is provided by McAfee and it's called: McAfee SECURE for website services. This service from McAfee gives you good, current, wel formatted and actionable reports of what kind of vulnerabilities your system has. It provides documentation about the vulnerablitiies and some help in fixing them. This is a middle of the road solution that doesn't involve you keeping yourself up to date with the latest security bulletins, but doesn't fully solve your problem. It gives you some key starters in solving the issues. McAfee is a commercial service that does cost some money but the advantages it provides makes the money well spent.

OWASP is an open source penetration testing software that offers some of the services of McAfee, but has some significant downsides compared to McAfee. The penetration testing script for Joomla sites offered by OWASP is joomlascan.pl, this is used to start the scans on the wanted environment.

Choosing our Penetration testing provider

Some of the reasons that we chose McAfee over OWASP are:

Ease of use

McAfee scans are started from an user friendly web interface
OWASP scans are done from a perl script that needs to be installed on a host computer, this needs some perl libraries to work(more difficult to start a scan than from McAfee)

Automation and reporting

McAfee's web interface allows you to automate the process of testing a site through the web interface in a matter of seconds and also offers the possibility of receiving a report of the test once it's done
using OWASP you would have to create this process from scratch with some scripting and dedicate a machine from which the scans can be done

No hardware/software required

Using McAfee SECURE doesn't require assigning of extra hardware to do the job and also doesn't involve installation of new software

Vulnerability coverage

McAfee covers a very large range of vulnerabilities, covering many types of environments
OWASP is more oriented to a particular environment and only the vulnerabilities associated to that environment

Support

One of the best things that you get from using McAfee SECURE is the support: documentation on the found exploits/vulnerabilities and also tips on how to solve them. This saves you a lot of time in finding a solution to your problem.

The trustmark

From a marketing point of view the trustmark offered by McAfee means a lot, giving your clients more confidence in your web service

Conclusion

As you can see using McAfee has it's benefits, giving you some confidence in the security system you end up building. You can use one of the open source software to do this job if you are up to the job of building a scanning system that could give you reliable data to work with and if you have the possibility of dedicating hardware resources for this. OWASP is a beautiful piece of software but sadly it doesn't cover all our needs and it's fairly difficult to set up initialy.

We chose McAfee for the reasons above and that's why the next blog post will cover the usage of the McAfee SECURE service to check and secure a joomla installation.

Comment (52)

«StartPrev12345678910Next End»

We're here to help

Newsletter