Are You Doing eCommerce On The Internet Without A Vulnerability Assessment Plan (VAP)
Today your most important asset is your data that resides on servers on premise or servers in the cloud. Do you have a documented Vulnerability Assessment Plan (VAP) ? Definition from https://searchsecurity.techtarget.com : A vulnerability assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, applications and network infrastructures and providing the organization doing the assessment with the necessary knowledge, awareness and risk background to understand the threats to its environment and react appropriately.
I am surprised to meet with new clients that have been doing business on the internet for 10 + years and never heard of or done a vulnerability assessment plan or scan. Some of the responses I get is "I am sure my IT team has everything locked down properly and secured." The other response I get is "we outsource our application hosting to a 3rd party hosting provider, so I am sure they have everything locked down and secured for us." In all cases these companies are making a big assumption. Never assume your applications and networks are secured. The companies I have worked with were very surprised when presentedwith 100's of potential vulnerabilities that are uncovered by running their first application and network vulnerability security scan. This is why you need your own vulnerability assessment plan and regular vulnerability scans.
There are multiple software providers and software as a service providers that offer vulnerability scanning. It is best to check with https://gartner.com to find the best rated solutions before you make a purchasing decision. The scans are pretty easy to configure. I would highly suggest doing your first scan in a non production environment like dev or uat to make sure it has no adverse effects. If no adverse effects in non production you can proceed to scan your production environments.
In this vulnerability assessment process you will also be documenting your applications by capturing systems names, domain names, OS version, software versions, IP, addresses, required ports, firewall rules, where hosted, users base,
etc.
From the report generated by the production vulnerability scan you will need to put a priority on every vulnerability and work to mitigate all vulnerabilities. You start with critical vulnerabilities first which are (Red ) then medium (Yellow), then low (Green). To mitigate a vulnerability could be as simple as applying a software provider patch/update, whitelist/blacklist IP's, open or close specific ports, or could be as complex as refracting your custom application code to prevent sql injection or cross site scripting. The vulnerability report gives you great information on how to mitigate every vulnerability it finds.
Once you have a application environment that is free of vulnerabilities this is where your documented vulnerability plan comes into play. Your plan should be catching all vulnerabilities in the development/uat phase. Your developers will be required to present proof of a clean vulnerability report of the scan in the uat environment to get the proper approvals to promote their development into production. If they don't have a clean scan this where you stand firm and send your developers back to mitigate and re-scan until they get a clean scan. If they miss a production date because there code has vulnerabilities is on them and needs to be addressed by their manager. Once the clean code is promoted into production, a production vulnerability scan is now required in production and should match the same results of the vulnerability scan done in uat. If the vulnerability scans don't match you may need to decide that you need to roll back your changes until you figure out why the scans don't match and make the proper changes. Once the code is in production you should scan your production environments at a minimum of at least once a week.
Call DRK Resources Tech to help you with your vulnerability assessment plan.