Web Auditing Essentials

The trick to auditing your web servers is understanding how to compartmentalize the task and then correctly specify the scope of the work you want to accomplish. Auditing in our case is trying to use 20 percent of the tools and technologies available to discover 80 percent of the possible risks implemented into the system or processes around the system. Remember that auditing, as much as we would like to believe, isn't an exact science, and auditing web servers is one area in which this is apparent. We are going to equip you with the tools to outline and begin execution for your audit. Release yourself from the guilt of not being perfect, or you will either never get started or you'll end up ineffective as you try to cover too much with too few resources and knowledge.

Web Auditing Components

A complete web audit is really an audit of three large components. First, there's the underlying platform or operating system on which the web application is installed and runs. This is covered in earlier chapters. Second, there is the web server itself, such as IIS, Apache, or Tomcat, which is covered below. An encyclopedia could be written about every web application in existence and the individual settings in each one. We cover the concepts, show some examples, and leave it to you to understand how to apply the concepts to any esoteric web servers. Finally, there is the audit of the web application that runs on top of the web server. These are show in Table 8-1.

Table 8-1: Web Auditing Components

Web Audit Component

Key Concerns

Web platform

Security of the operating system, physical and network protection to the host

Web server

Default settings, sample code, general misconfigurations

Web application

Default application settings, input validation, incorrectly serving up data, access to company confidential data, general misconfigurations

There is a wealth of languages and structures for web application development, complicating the audit process. However, there are also several tools available to help us wade through the mix and determine what needs attention. We will go through these in the steps below.

IT Auditing. Using Controls to Protect Information Assets
It Auditing: Using Controls to Protect Information Assets [IT AUDITING -OS N/D]
Year: 2004
Pages: 159

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net