Web Auditing Essentials

The trick to auditing your web servers is understanding how to compartmentalize the task and then correctly specify the scope of the work you want to accomplish. Auditing in our case is trying to use 20 percent of the tools and technologies available to discover 80 percent of the possible risks implemented into the system or processes around the system. Remember that auditing, as much as we would like to believe, isn't an exact science, and auditing web servers is one area in which this is apparent. We are going to equip you with the tools to outline and begin execution for your audit. Release yourself from the guilt of not being perfect, or you will either never get started or you'll end up ineffective as you try to cover too much with too few resources and knowledge.

Web Auditing Components

A complete web audit is really an audit of three large components. First, there's the underlying platform or operating system on which the web application is installed and runs. This is covered in earlier chapters. Second, there is the web server itself, such as IIS, Apache, or Tomcat, which is covered below. An encyclopedia could be written about every web application in existence and the individual settings in each one. We cover the concepts, show some examples, and leave it to you to understand how to apply the concepts to any esoteric web servers. Finally, there is the audit of the web application that runs on top of the web server. These are show in Table 8-1.

There is a wealth of languages and structures for web application development, complicating the audit process. However, there are also several tools available to help us wade through the mix and determine what needs attention. We will go through these in the steps below.