Good, affordable server vulnerability and web application scanner

Forums › IT Pro and developers › Good, affordable server vulnerability and web application scanner

Getsited

28 posts

Geek
+1 received by user: 2

# 208880 3-Mar-2017 16:14

Hi all,

We run a wordpress site and custom PHP application on a linux server. Wordpress seems to be pretty flaky in the security department and I am worried our dev's might introduce a vulnerability in our custom application.

Has anyone had any experience with security scanning for servers and web applications? I'm looking for something good and affordable.

Regards,

Gareth

marpada

278 posts

Ultimate Geek
+1 received by user: 102

# 1729516 3-Mar-2017 16:42

http://www.openvas.org/

https://www.metasploit.com/

timmmay

14755 posts

Uber Geek
+1 received by user: 2746

Trusted

Subscriber

# 1729525 3-Mar-2017 17:14

Your best bet is probably to run a WAF, which will prevent common exploits reaching your server - SQL injection, XSS, the OWASP top ten and more. AWS WAF, CloudFlare Pro Business, RedShield (NZ, expensive but good), Incapsula. Static scans are probably not worth the effort.

Wordpress security is quite good. It runs 10% of the internet, or more, and reports of widespread hacks are rare.

timmmay

14755 posts

Uber Geek
+1 received by user: 2746

Trusted

Subscriber

# 1729526 3-Mar-2017 17:20

Also, it sounds like you need to look at a few more things:

Your process around code and security reviews (which might be what you were really asking about)
Automated penetration testing
Deployment architecture - DMZ with a reverse proxy might be prudent
IDS / IPS systems. Trend Micro has one. On AWS you can buy services like this by the hour. Some route your traffic through them, some use an agent on your server.

Look on youtube for "re:invent security", it will tell you some of the things AWS does for security. They're typically best practice.

mattwnz

14823 posts

Uber Geek
+1 received by user: 2008

# 1729528 3-Mar-2017 17:32

Any CMS is potentially vulnerable to hacking, and I don't think Wordpress is any worse. It is just that that wordpress powers so much of the internet, so hackers can concentrate on trying to find holes in it. It is similar to windows vs Mac OS, hackers tend to target windows due to the numbers.

sclazarus

6 posts

Wannabe Geek
+1 received by user: 1

# 1735575 13-Mar-2017 10:26

I don't know if you're still looking, but the company that I work for hosts peer reviews of software and you can find a list of popular security software, along with reviews from people that have used them. I don't know much about it, but HP Fortify on Demand seems to be a popular choice (it's ranked at the top of the list) so you can take a look at that if you want (https://goo.gl/7f5K1L).

I hope this helps.

freitasm

BDFL - Memuneh
63333 posts

Uber Geek
+1 received by user: 13858

Administrator

Trusted

Geekzone

Lifetime subscriber

# 1735648 13-Mar-2017 11:41

I have been looking at TinfoilSecurity for scanning lately.

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

Getsited

28 posts

Geek
+1 received by user: 2

# 1736429 14-Mar-2017 17:39

Thanks for the suggestions !

I've turned on ModSecurity with a comodo rule feed (its free!) and also started using a WAF with sucuri.net. Sucuri also do the scanning thing.

Thing is the WAF you have to load your SSL cert in - private key and CRT. So if they get compromised you will be truly screwed. Apart from that it looks good.

The problem with Wordpress is the plugins. There is no checking to make sure the code is up to scratch.

freitasm

BDFL - Memuneh
63333 posts

Uber Geek
+1 received by user: 13858

Administrator

Trusted

Geekzone

Lifetime subscriber

# 1736431 14-Mar-2017 17:45

So why not Cloudflare?

Backblaze cloud backup (personal and business) | Geekzone broadband switch | Amazon (Geekzone aff) | MightyApe (Geekzone aff) |

My technology disclosure | Business Transformation | Enterprise Content Management | Customer Relationship Management | Sharesies investment fund

timmmay

14755 posts

Uber Geek
+1 received by user: 2746

Trusted

Subscriber

# 1736435 14-Mar-2017 17:51

freitasm:

I have been looking at TinfoilSecurity for scanning lately.

Tinfoil is pretty awesome. I found a bug and emailed them, they came back to me pretty quickly. I've emailed a couple more suggestions. I've found it super useful.

Getsited

28 posts

Geek
+1 received by user: 2

# 1749226 28-Mar-2017 10:23

freitasm: So why not Cloudflare?

I found this report which shows modsecurity is the best - https://perezbox.com/2013/03/protect-your-website-vulnerabilities-with-a-waf-new-compairson-report-cloudflare-vs-incapsula-vs-modsecurity/. It's quite old but doesn't seem to be too much info out there to make decisions with.

I'm using Comodo's rule set and modsecurity is free. Comodo got a mention here - http://www.newsweek.com/best-antivirus-protect-cia-spies-hackers-computer-security-565710 - anything that annoys the CIA must be good.

I've got a server admin guy running his own penetration testing to give it the once over.

Ongoingly I will need to find a good automated scanner to make sure everythings working as it should.

timmmay

14755 posts

Uber Geek
+1 received by user: 2746

Trusted

Subscriber

# 1749303 28-Mar-2017 11:31

Getsited:

freitasm: So why not Cloudflare?

Ongoingly I will need to find a good automated scanner to make sure everythings working as it should.

Tinfoil security above would qualify. If you want free there are open source tools, but they take more effort.