Of further interest:

Rapid7 Security Consulting Services

Web Application Security Audits

In recent years the popularity of Web Applications has grown dramatically. Many organizations have converted legacy mainframe and database systems into dynamic web applications using technologies such as ColdFusion, ASP, JSP, PHP, and JavaScript. Web based applications allow a company to quickly develop a platform independent, client-server application that can be accessed from any computer within the organization equipped with a web browser. Additionally, many new commercial and in-house applications have been developed to facilitate workflow, data management, and online collaboration.

Following the rapid growth of web enabled applications came the rapid growth in discovered web vulnerabilities, and the HTTP protocol became a hacker's easiest path into a corporate network. First, web application software is notoriously full of vulnerabilities, products such as IIS, ColdFusion, and PHP have a poor security track record. Second, many in-house and even commercially developed web software often considers application security as an after though and is usually vulnerable to some type of attack such as authentication bypass, SQL Injection or Cross-Site Scripting. Finally, attacking Web Applications is popular because it is often the easiest and most direct route to the internal network since almost all firewalls are configured to allow inbound port 80 and 443 TCP traffic.

Rapid7 is Here to Help

You can no longer ignore the security of your Web applications. Web applications collect personal, classified, and confidential information such as medical history, credit and bank account information and user satisfaction feedback. Additionally, if your organization is bound by legislation or industry compliance such as HIPAA, GLBA, PCI, or Sarbanes-Oxley to protect the privacy and security of personally identifiable information, and hackers can get at this sensitive information, you run the risk of being found guilty of non-compliance.

Rapid7’s Web Application Security Audit will provide you with an overview of the effectiveness of the security controls you have in place to protect your web applications from attack. Rapid7, in conjunction with the Open Web Application Security Project (OWASP), has developed a comprehensive framework for assessing the security of web-based applications. This framework includes checks for:

Unvalidated Input Parameters
Broken Access Control
Broken Authentication and Session Management
Cross Site Scripting (XSS)
Cross Site Request Forgery (CSRF)
SQL and Command Injection
Improper Error Handling
Buffer Overflows
Insecure Configuration Management

Rapid7 will also provide remediation advice for those items discovered during the audit, as well as ensure you understand their overall context within the the framework of web application security. Rapid7 can also provide consulting services and work with you to fix problems and achieve complaince with government or industry regulations.

For those of you who want your staff to have a deeper understanding of Web application security, Rapid7 offers a Web Application Security Training course that teaches how to take an offensive approach to application security. The course teaches students how to attack and defend web-based applications using same methodology as an external hacker. We focus on application layer security and teach students how to secure distributed applications by walking through actual application exploits.