Website security: Penetration tests and security scans

A penetration test (pen-test) is a useful tool, commonly used by site owners to check for vulnerabilities in their sites. Typically a pen-test will involve some automated scans, searching for patterns and components known to be possible security problems, followed up by a human operator posing as a typical user, ensuring that said user cannot access anything they should not.

Understanding a pen-test report

A good pen-test report will not only show the vulnerability, but also, an example URL, and how to demonstrate the vulnerability, and thus validate when it is fixed. Typical findings will span from server through to third-party libraries and individual pages. 

It is important, however, to be aware that mitigations may already be in place, rendering an apparent vulnerability as merely a false positive. For example, the ageing Drupal 7 uses an old version of the jQuery library, with a known vulnerability. This is typically picked up in common pen-tests. However, Drupal has protections in place specifically for jQuery, making it safe to use. 

It is also important to understand how a site works, when interpreting the results of a pen-test. For example, a test might cite the disclosure of directory structures as a problem. However, with Drupal, the entire system is abstracted away from the underlying directory structures, and what might appear to an automated scan as revealed structure might in reality simply be search result pages.

Hiding a site’s fingerprints

Some reports might recommend the removal of files such as README text files or change logs, or  similar, which may be part of the code base, from the core system, contributed modules or third-party libraries. The thinking here is that these files disclose information best kept private. The Drupal security team’s view on such approaches is that security through obscurity is no security at all.  Their opinion is that it is a waste of effort to remove such files as there are other ways to discover a site’s systems, and other far more effective ways to protect your site than hiding such files.

Security headers

Pen-tests may reveal certain required “headers” are missing. Whenever a server responds to a request, the data of that response is preceded by a “header”. That is a collection of statements from the web server that tells the browser where it has come from and how to interpret it.

Some headers are security related, e.g. “you may/may not put this content in an iFrame”, or “this content can access this selection of features on a phone”, or maybe “you must only use secure, encrypted connections”.

Fortunately, these headers are straightforward to implement, and Drupal modules such as Security Kit will go a long way towards providing every header a penetration tester might wish for.

Server Security

You can have your web application as secure as the oft-cited Fort Knox, but if the web server upon which it resides is insecure, all your efforts can be for naught.

In days of yore, people would purchase a cheap VPS (virtual private server) to host their website, and think that they were finished there. The web agency would be tasked with maintaining the web application, and the hosting company would maintain the underlying infrastructure, but all too often, nobody would own the maintenance of the VPS itself: its operating system and server software. Thus, security patches would be neglected, file permissions unset, and gaping vulnerabilities would appear to those who looked, leaving sites wide open.

Managing a server requires its own specialist skill set; a skill set not possessed by all. A good systems administrator is priceless.

Annertech now exclusively use fully managed hosting services. A managed hosting service is one where the hosting provider takes care of everything: the hardware, the operating system, the server software, the file permissions, in an ongoing maintenance routine. This allows the server experts to provide all the base-level security and allows the web application experts to concentrate on delivering secure web applications.

A well-managed hosting system will have built in security features such as a read-only file system, access only via SSH and code deployment only through the use of version control.

Pen-tests can show up all manner of real or perceived vulnerabilities. It can be useful to know what they are talking about, and some of the measures your web application might already have in place.

Next episode: inputs, outputs, and vulnerabilities.

Read the other blogs in our Security Series: