Addressing Vulnerabilities

You learn you have an application vulnerabilities because:

• a security assessment told you
• a penetration test told you
• an interested party told you, or
• the post mortem of an incident told you.

You want to install a vendor’s patch (in the case of a third party application) or update the code (in the case of an internal application) or change the configuration (when excessive privileges or unthrottled resource allocation is the issue). You will not be able to do this right away (no resources, regression testing takes times), and perhaps not at all (no source code).

What can you do?

1. Shut down the application. Is the benefit of the application significant? Consider removing a vulnerable application which is of little value.
2. Remove the vulnerable functionality of the application. Is the benefit of the application’s feature significant? For example,  a web-based administrative interface can be convenient but administrators may have other methods. Consider removing a vulnerable feature of an application.
3. Remove access to the functionality at the network layer. If it can’t be reached, it can’t be exploited (until someone makes it reachable).
4. Remove access to the functionality at the application layer. It may still be reachable, but you will need certain credentials to exploit the vulnerability.
5. Minimize the impact. For example, a SQL Injection vulnerability where the web application’s privileges are severely limited is of little impact. A file upload or download vulnerability which cannot overwrite important files is of little impact.
6. Prevent exploitation. This is typically through a web application firewall. Use rules which permit only the expected input, don’t filter out the known bad example (the Proof of Concept).
7. Detect exploitation. Perhaps this appears to be low risk, low probability. Watch and wait, at least know when the application is being exploited.

See also:
The following resources may be useful to help them your website:

• 15 Great Ways to Secure Your Website
  1. Use Open Source scripts
  2. Update Constantly
  3. Use Strong Passwords
  4. Secure Admin Email Address
  5. Add a Database Table Prefix
  6. Password protect the Database
  7. Delete the Installation Folder
  8. Change File & Folder Permissions
  9. Use Secured FTP Access
  10. Restrict Root Access
  11. Ensure the presence of .htaccess file
  12. Add robots.txt file
  13. Use security plugins
  14. Read leading Tech Blogs
  15. Stay away from Nulled Scripts & Themes
• .Net Magazine: 10 essential security tips: protect your site from hackers
  1. Keep software up to date
  2. SQL injection
  3. XSS
  4. Error messages
  5. Server side validation/form validation
  6. Passwords
  7. File uploads
  8. Server security
  9. SSL
  10. Security tools
• Joomla: Why should you immediately change the name of the default admin user?
• Joomla pre-3.0: How to install and use Reset Admin Password
• Joomla 3.0: How to install and use Reset Admin Password
• Do You Own A Website? Now Would Be A Good Time to Patch It
  • WordPress version
  • Joomla! version

Using resource allocation management to prevent DoS and other attacks by Michael Cobb

ThreadFix is a software vulnerability aggregation and management system that reduces the time it takes to fix software vulnerabilities. ThreadFix imports the results from dynamic, static and manual testing to provide a centralized view of software security defects across development teams and applications. The system allows companies to correlate testing results and streamline software remediation efforts by simplifying feeds to software issue trackers. By auto generating application firewall rules, this tool allows organizations to continue remediation work uninterrupted. ThreadFix empowers managers with vulnerability trending reports that show progress over time, giving them justification for their efforts.