Cloud infrastructure is becoming more and more used by companies around the world. Therefore, performing a penetration test against your own cloud infrastructure or your client’s cloud is becoming so ...
Fixing the discovered vulnerabilities after receiving the penetration test report is the most important process and the most time-consuming process. Therefore, one of the most common questions I get from my clients before they start the fixing process is can I keep my website online while fixing the vulnerabilities?
The website can be left online during the vulnerabilities fixing process if no critical vulnerabilities are discovered, the website is protected with a powerful web application firewall, and a separate test environment is in place.
In this blog post, I will explain why keeping a website online can be dangerous but at the same time possible to not blocking the production.
Keeping a vulnerable website online is a very dangerous and risky action, and I will explain why in detail in the next sections. However, in some cases shutting down the website could have way more business losses compared to if it gets hacked. Therefore, companies may take this decision and accepting the risk.
However, the risk of being hacked while using a vulnerable website can be reduced if we perform some actions on the website environment. Here is a list of actions that you can do to enhance the security of your website while keeping it live:
The first thing you should think of is taking a database backup. Your database is your gold and you should protect it with all you’ve got. Therefore, taking a full backup of your database is so important once you start the fixing process.
Moreover, the backup process should be automated if it is not already and you should reduce the time between each backup. By reducing the time frame, you are reducing the impact of getting hacked or infected by malware that may encrypt all your data. If anything happens the amount of data you will lose is so small that you can deal with it.
Taking a full website source code backup is also important to keep using your website if anything happens. Actually, if your original web server gets infected you might be able to quickly switch to another server while fixing the principal one. Therefore, the website will stay alive no matter what happens. (This action can only be effective if the attack source and the used exploit were discovered from the investigation process).
Web application firewalls are the most important part in this kind of situation. If you don’t have a web application firewall up and running, keeping a vulnerable website live could be like business suicide.
Web applications firewalls do a great job to protect web applications from known and unknown attacks that can happen. Moreover, you can even add your own rules to protect some specific vulnerable parts of your web application.
Here you can find a list of the most powerful web application firewalls that I always recommend for my clients. Some of those firewalls have affiliate links and others don’t which proves that what I am recommending here is based on my personal experience as a penetration tester and a security consultant and nothing else.
One of the most important tasks that so many people neglect is the monitoring process. You should know that even if you put the most powerful security systems and you keep doing all what you can to fix the vulnerabilities you have, getting hacked is just a matter of time.
In the cyber security industry, we are not talking anymore about how to prevent an attack, we have started to discuss when the attack will happen and how to deal with it to reduce the impact. Unfortunately, this is due to the rise we are noticing in the zero-day vulnerabilities that get discovered each day.
Therefore, either you have a good website with “no vulnerability” for now or you are using a vulnerable website, monitoring your application is a must to quickly detect intrusions and attacks.
The early detection of intrusions helps you reduce the business impact by stopping it in the early stages. Therefore, putting in place a monitoring system to supervise your website 24h/7 is as important as using a web application firewall or fixing your website vulnerabilities.
I have written a nice article about this subject where I also recommend some of the best monitoring systems solutions in the market.
One last thing you can add to your security solutions is installing an Antivirus on the hosting server. This task is optional, but it adds a nice security layer if all the other one has failed to protect the application.
Antivirus has access to all system process in both the drive and the memory. Therefore, the amount of data it gets to successfully detect an attack is way more important than a WAF.
To fix a vulnerability in a web application it takes between 34 to 54 days. According to a study performed by Tcell the average time needed to fix a critical vulnerability in a medium application in terms of complexity is 34 days. However, this number gets higher for a lower vulnerability in terms of criticality.
This study was performed on different applications of different sizes. Therefore, the numbers specified in this study might be affected by the time needed for big companies to fix a vulnerability. This means that for smaller apps the time might be even less than that. However, even for less time to fix the discovered vulnerability
As I said, even by putting the most powerful security solution to protect a vulnerable website, the risk is still important. This is due to the fact that even the security solution can either be vulnerable to zero-day vulnerabilities or to an unknown evasion technique.
This is why keeping a vulnerable website live is a dangerous action especially if the vulnerabilities discovered are obvious, very critical, and easy to exploit.
Written by: Z. Oualid
I am a Cyber Security Expert, I have worked with many companies around the globe to secure their applications and their networks. I am certified OSCP and OSCE which are the most recognized and hard technical certifications in the industry of cybersecurity. I am also a Certifed Ethical hacker (CEH). I hope you enjoy my articles :).
Undoubtedly, ChatGPT stands out as one of the most remarkable inventions of 2021. Its wide-ranging capabilities and applications have opened up endless possibilities for human interaction and problem-solving. Furthermore, certain [...]