Discuss Home · Bootstrapped Podcast · Scribbleton Personal Wiki · HelpSpot Customer Service Software

Should I pen test my web server?


#1

Overnight the monitoring on my AWS-based website sent me a spate of emails. In the morning I took a look at the logs to find someone had tried to hack my site. I guess it was a script that looks for a bunch of common security holes.

As far as I can tell, the would-be intruder was unsuccessful. But I can’t really tell.

This got me thinking: should I be getting a pro to do some penetration testing on my site?

Do any of you use such a service? Do you think it is worthwhile doing? If so how and when?


#2

@SteveMcLeod I used to do pentesting for a living, the answer is: it depends on the types of data you’re storing. If it’s something very valuable like your client’s “account balances”, PII, etc. Then it won’t hurt, it will be a small assessment (1 or 2 days) and won’t be very expensive (~£1000/day). If you want an introduction with someone serious, I’m happy to connect you.

If your server is mainly static, I’m not sure if you’ll get much out of it. Make sure no unnecessary ports are open (you can use nmap for that), and you can also scan the web server with something like: nikto or ZAP.

There are some open-source tools you can use to do lightweight scanning like [i] and resources w/ AWS best practices [ii].

So the takeaways: a) do it if what you’re protecting is valuable (to your business or to your client’s). b) there are options for DIY’ing it, but you’re probably better off paying a pro to spend a couple of days looking at it.

HTH,
Daniel

p.s. happy to expand on any particular point.

[i]

[ii]
http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf


#3

Hey Steve,

It’s tough to put something in the internet without knowing the risks. That’s the information security challenge but manual penetration tests are expensive for us bootstrappers, although very good to find complex flaws in web apps, servers, etc. Ideally it should be performed before pushing a new version to production and after deploy too because scanners got updated and may find vulnerabilities that wasn’t possible before.

If you haven’t been hacked, I recommend you to at least run security scanners before attackers, for that you can use the free account on Gauntlet (gauntlet.io). It’s only one part of the security that you should be doing, but feel free to ask me for more information. I’m too lazy to answer it all here as it’s something really long to write. However I did write part of it in here (dadario.com.br/security-for-building-modern-web-apps/)

Cheers


#4

What did you end up doing about this?


#5

I ended up doing nothing… :frowning: