Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




28 posts

Geek
+1 received by user: 2


# 208880 3-Mar-2017 16:14
Send private message

Hi all,

 

We run a wordpress site and custom PHP application on a linux server. Wordpress seems to be pretty flaky in the security department and I am worried our dev's might introduce a vulnerability in our custom application. 

 

Has anyone had any experience with security scanning for servers and web applications? I'm looking for something good and affordable. 

 

Regards,

 

Gareth


Create new topic
278 posts

Ultimate Geek
+1 received by user: 102


  # 1729516 3-Mar-2017 16:42
Send private message

http://www.openvas.org/

 

https://www.metasploit.com/


14755 posts

Uber Geek
+1 received by user: 2746

Trusted
Subscriber

  # 1729525 3-Mar-2017 17:14
Send private message

Your best bet is probably to run a WAF, which will prevent common exploits reaching your server - SQL injection, XSS, the OWASP top ten and more. AWS WAF, CloudFlare Pro Business, RedShield (NZ, expensive but good), Incapsula. Static scans are probably not worth the effort.

 

Wordpress security is quite good. It runs 10% of the internet, or more, and reports of widespread hacks are rare.


 
 
 
 


14755 posts

Uber Geek
+1 received by user: 2746

Trusted
Subscriber

  # 1729526 3-Mar-2017 17:20
Send private message

Also, it sounds like you need to look at a few more things:

 

  • Your process around code and security reviews (which might be what you were really asking about)
  • Automated penetration testing
  • Deployment architecture - DMZ with a reverse proxy might be prudent
  • IDS / IPS systems. Trend Micro has one. On AWS you can buy services like this by the hour. Some route your traffic through them, some use an agent on your server.

Look on youtube for "re:invent security", it will tell you some of the things AWS does for security. They're typically best practice.


14823 posts

Uber Geek
+1 received by user: 2008


  # 1729528 3-Mar-2017 17:32
Send private message

Any CMS is potentially vulnerable to hacking, and I don't think Wordpress is any worse. It is just that that wordpress powers so much of the internet, so hackers can concentrate on trying to find holes in it. It is similar to windows vs Mac OS, hackers tend to target windows due to the numbers. 


6 posts

Wannabe Geek
+1 received by user: 1


  # 1735575 13-Mar-2017 10:26
Send private message

I don't know if you're still looking, but the company that I work for hosts peer reviews of software and you can find a list of popular security software, along with reviews from people that have used them. I don't know much about it, but HP Fortify on Demand seems to be a popular choice (it's ranked at the top of the list) so you can take a look at that if you want (https://goo.gl/7f5K1L).

 

I hope this helps.

 

 




28 posts

Geek
+1 received by user: 2


  # 1736429 14-Mar-2017 17:39
Send private message

Thanks for the suggestions ! 

 

 

 

I've turned on ModSecurity with a comodo rule feed (its free!) and also started using a WAF with sucuri.net. Sucuri also do the scanning thing. 

 

 

 

Thing is the WAF you have to load your SSL cert in - private key and CRT. So if they get compromised you will be truly screwed. Apart from that it looks good. 

 

 

 

The problem with Wordpress is the plugins. There is no checking to make sure the code is up to scratch. 


14755 posts

Uber Geek
+1 received by user: 2746

Trusted
Subscriber

  # 1736435 14-Mar-2017 17:51
Send private message

freitasm:

 

I have been looking at TinfoilSecurity for scanning lately.

 

 

Tinfoil is pretty awesome. I found a bug and emailed them, they came back to me pretty quickly. I've emailed a couple more suggestions. I've found it super useful.




28 posts

Geek
+1 received by user: 2


  # 1749226 28-Mar-2017 10:23
Send private message

freitasm: So why not Cloudflare?

 

I found this report which shows modsecurity is the best - https://perezbox.com/2013/03/protect-your-website-vulnerabilities-with-a-waf-new-compairson-report-cloudflare-vs-incapsula-vs-modsecurity/. It's quite old but doesn't seem to be too much info out there to make decisions with. 

 

I'm using Comodo's rule set and modsecurity is free. Comodo got a mention here - http://www.newsweek.com/best-antivirus-protect-cia-spies-hackers-computer-security-565710 - anything that annoys the CIA must be good. 

 

I've got a server admin guy running his own penetration testing to give it the once over. 

 

Ongoingly I will need to find a good automated scanner to make sure everythings working as it should. 


14755 posts

Uber Geek
+1 received by user: 2746

Trusted
Subscriber

  # 1749303 28-Mar-2017 11:31
Send private message

Getsited:

 

freitasm: So why not Cloudflare?

 

 

 

Ongoingly I will need to find a good automated scanner to make sure everythings working as it should. 

 

 

Tinfoil security above would qualify. If you want free there are open source tools, but they take more effort.


Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Video game market in New Zealand passes half billion dollar mark
Posted 24-May-2019 16:15


WLG-X festival to celebrate creativity and innovation
Posted 22-May-2019 17:53


HPE to acquire supercomputing leader Cray
Posted 20-May-2019 11:07


Techweek starting around NZ today
Posted 20-May-2019 09:52


Porirua City Council first to adopt new council software solution Datascape
Posted 15-May-2019 12:00


New survey provides insight into schools' technology challenges and plans
Posted 15-May-2019 09:30


Apple Music now available on Alexa devices in Australia and New Zealand
Posted 15-May-2019 09:11


Make a stand against cyberbullying this Pink Shirt Day
Posted 14-May-2019 20:23


Samsung first TV manufacturer to launch the Apple TV App and Airplay 2
Posted 14-May-2019 20:11


Vodafone New Zealand sold
Posted 14-May-2019 07:25


Kordia boosts cloud performance with locally-hosted Microsoft Azure ExpressRoute
Posted 8-May-2019 10:25


Microsoft Azure ExpressRoute in New Zealand opens up faster, more secure internet for Kiwi businesses
Posted 8-May-2019 09:39


Vocus Communications to deliver Microsoft Azure Cloud Solutions through Azure ExpressRoute
Posted 8-May-2019 09:25


Independent NZ feature film #statusPending to premiere during WLG-X
Posted 6-May-2019 22:13


The ultimate dog photoshoot with Nokia 9 PureView #ForgottenDogsofInstagram
Posted 6-May-2019 09:41



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.