iBeta Security Services

Website security is a critical issue for any company – whether they are creating a new website or maintaining an existing website. For many companies, the information stored is connected to sensitive customer information. New methods of attacks are continuously being developed making security threats a constant concern. All it takes is one look at the news to see that regular attacks often cause a huge loss of personal information and money.

iBeta Quality Assurance offers a variety of security services in order to deal with these ongoing security challenges.  iBeta can identify vulnerabilities and make recommendations to clients in order to improve their security levels. Our security division is led by a Senior Test Engineer with many years of experience in complex software testing and analysis. He is a Certified Information System Security Professional (CISSP) as administered by (ISC) 2 which established ANSI/ISO/IEC Standard 17024 – a global benchmark for personnel certification.

Our CISSP has developed a simple yet very effective process by which we analyze our clients’ security concerns.  This process enables us to create an action plan to address these concerns. This usually means that we conduct scans with one of more tools in order to provide a report of vulnerabilities and expert analysis. Such reporting consists of an analysis of the output of the test results with regard to the code-base used and the back-end services employed, such as AJAX, SOAP, SQL, AD/LDAP Authentication, and even Flash/Director. The report also information regarding network layer security, such as port vulnerabilities, URL exploits, etc.

iBeta uses several vulnerability testing tools in order to assess the security of several network layers.

iBeta scans your routers and firewalls to assess their effectiveness in blocking ports and determining what vulnerabilities are present in the protocols allowed on those ports at the internet and transport level.

  • iBeta reports the CVSS (Common Vulnerability Scoring System) score of the vulnerability. The score is a weighted assessment of the impact and accessibility of the vulnerability.

iBeta scans your web applications to assess the vulnerabilities including the OWASP Top Ten at the application level.

  • iBeta reports a four-level score associated with the vulnerability of your website and backend databases to the vulnerability.
  • In general, the OWASP Top Ten vulnerabilities are reported as high.

iBeta will also manually intercept and view traffic to recommend vulnerable situations that may not be reported by the automated tools.

  • iBeta makes recommendations based on our manual scan of the site and recommends that these vulnerabilities be fixed or that you consider fixing them based on your own assessment of the risk.

At the web application level, iBeta recommends using all three prongs to assess the security of your websites. Cross-site scripting and SQL injection are not observed at the internet and transport level scanning. Protocol vulnerabilities such as weak passwords or unpatched or out-of-date protocol exposures are not always observed at the application level. Likewise, vulnerabilities associated with login and appropriate use of SSL/TLS may not be observed by an automated tool and require manual methods.

Security Tools Used By iBeta

Acunetix:

  • Acunetix WVS checks for all web vulnerabilities including SQL injection, cross site scripting and many others. SQL injection is a hacking technique, which modifies SQL queries in order to gain access to data in the database. Cross-site scripting attacks allow a hacker to execute a malicious script on your visitor’s browser.
  • Detection of these vulnerabilities requires a sophisticated detection engine. Paramount to web vulnerability scanning is not the number of attacks that a scanner can detect, but the complexity and thoroughness with the scanner launches SQL injection, Cross Site scripting and other attacks.
  • Acunetix has a state of the art vulnerability detection engine that uses AcuSensor Technology. This is a unique security technology that quickly finds vulnerabilities with a low number of false positives, indicates where the vulnerability is in the code and reports debug information. It also locates CRLF injection, Code execution, Directory Traversal, File inclusion, Authentication vulnerabilities and others.

Nessus:

  • iBeta uses Tenable Nessus to perform network level security penetration testing. Nessus employs over 40,000 plugins to test for network level vulnerabilities. Typically, Tenable produces plugins for vulnerabilities within 24 hours of its public release. Such vulnerabilities include improperly configured ports, unpatched or outdated network level protocols, and insecure algorithms or keys.
  • iBeta produces an Executive Level summary and Detailed Report for any vulnerabilities discovered. Reports contain the CVSS or Common Vulnerability Scoring System score, which weights the availability of the vulnerability in space and time and its potential impact to provide a rough score for risk assessment. The detailed report also includes instructions or links to help your IT personnel correct any problems discovered.

* The Acunetix and Nessus scans often complement each other.  iBeta believes that the best way to view the two tools is to use the Nessus scans to test for vulnerabilities from a website that might consist of entirely static content meaning the website consists of a server that responds to web browser requests with files containing little or no active content. The Acunetix tool then tests for vulnerabilities in the active nature of a web site or web application. Those types of websites accept user input and transform the user input into new content. By doing so, these sites are active and very often have interfaces to a database, other servers, etc. Acunetix tests these websites for vulnerabilities, such as the cross-site scripting family and SQL injection family of exploits.

Wireshark:

  • Wireshark is a network eavesdropping tool which iBeta uses in conjunction with Nessus and Acunetix scans to verify the IP address(es) for a scan.
  • iBeta uses the tool to analyze typical unit operations performed over a network to check for vulnerabilities such as session-hijacking or the transmission of content in an insecure manner.

About the Author: Evan Call oversees business development for iBeta Quality Assurance, an independent software testing lab located in Denver, Colorado. To contact Evan, e-mail him at directly at ecall@ibeta.com. For more information visit www.ibeta.com