Or just a Web security expert…?
One of our clients has an ASP (classic) / MS SQL site and it keeps getting hacked. We’ve locked it down so that cross-site scripting and SQL injection is not a problem, and hasn’t been a problem for quite a while. But now password-protected areas of the site are being accessed and abused, and we’re at a loss as to how the baddies might be getting in (passwords have been changed).
We don’t have the time to figure out the problem, but it needs to be fixed. So we need to hire someone to find the hole for us.
I’ve googled and have not found anything because I am probably googling wrong. Plus, who can you trust?
I put this in IMHO because I would like recommendations from others who have had to hire such a person/firm. I am also open to hiring a Doper who has the needed skills.
If you just want to “fix the hole,” any decent-sized web development shop should have staff with security experience on hand and should be able to provide you with references.
However, I suggest you take a more comprehensive approach to application and platform security. Running an old version of SQL Server in the wild is a really, really bad idea. You’re probably looking at a comprehensive audit and pen test, followed by a rearchitecture, platform upgrade, a rewrite, followed by another audit and pen test.
A consulting shop will probably charge you 20-50k for the auditing and penetration testing bit, depending on the size of the application and the length of the test. I have no idea what consulting shops are charging for .Net analysis and development these days, so I won’t comment.
It’s not an ASP.NET app, it’s a classic ASP app. Thanks, tho.
Essentially, there’s two types of security holes.* One is Lazy Programming. This means not verifying the safety of data that the user has input, or not properly checking errors. The other one is Flow Holes. This means that the design itself isn’t inherently secure. The first sort of problem can largely be solved by taking the code and, line-by-line, porting to a new coding style that does do all the proper checks. But the latter requires having a basic understanding of how everything is put together.
None of this has anything to do with “web security”. As a label, I’d take that to refer to an IT guy. Your problem is a coding issue, which means a programmer. Programmers don’t really have qualifications. There’s just ones who are good and ones who aren’t, and the only way to determine that is to have someone who knows his stuff interview them.
- There’s something of a third type, which is security issues in the underlying platform. To fix this, you just upgrade to the newest versions.
Sage Rat’s advice is very sound. I’m not an expert but the fact that you say SQL injection is “not a problem” doesn’t mean that much. 90% of the times I’ve encountered a situation like this it has been someone failing to clean their input. Look at the HTTP requests your server is getting and see if you can find some “strange” ones; it’s not a sure thing but it’s likely you’ll be able to find the attack vector. Once you have that then you can work on closing it.
The thing is that even if you think it’s safe there’s always the possibility of a form that’s been overlooked, a script that’s open to being touched in a way you didn’t anticipate, and so on.
And FWIW almost every other successful web attack I’ve seen has been because someone installed a web application and didn’t change the default settings. That stuff is public knowledge and anyone who finds it while scanning sites can just walk in.
Try OWASP -
They have a number of supporting firms listed via logo cloud near the bottom of that page. Try Aspect Security -
http://www.aspectsecurity.com/