Website security and performance audit

Security audit

The aim is to determine whether an application is susceptible to common attacks.
Today, hacking attempts are frequent and no longer target only high-traffic sites. Hackers are also turning to smaller players whose lax security policies they hope will make it easier for them to break into servers.

Here are the main aims of these hacks :
– Website defacement. This involves exploiting a vulnerability to visibly modify the home page.
– Link injection. Here again, the homepage is modified but in a more discreet manner to add links that will help to increase the ranking of the site targeted by the links on search engines to enhance its visibility.
– Injection of malicious code. In this case, the aim is to ensure that the user arriving on the modified page is infected by a virus, worm or Trojan horse that will use vulnerabilities in the browser, the Adobe © Flash player plugin, a PDF reader, etc.
– Information recovery. The aim is to obtain valuable information such as customer lists (surname, first name, address, email address, password, bank details). This information will then be resold and used for identity theft or to target potential victims more effectively by sending them phishing emails.
– Taking control of all or part of the server. The aim is to be able to use this as a basis for new attacks on other sites, to send SPAM, install phishing sites or, if the site is suitable, to intercept bank details or have goods sent to you without paying for them or at a derisory cost.
– Destroying the site. This involves simply deleting the entire site and all associated data.

Being the victim of a hacker attack can have a number of negative impacts :
– Loss of business for a commercial site: until the site is corrected and back up and running, orders are suspended.
– Loss of reputation for the associated site or brand.

Performance audit

This is an audit of the bottlenecks slowing down all or part of a software application.
The responsiveness of a thin or fat client application is essential to increase its audience with the general public and for the productivity of in-house teams.
There can be many reasons for this: poor software structure, complexity or excessive and unnecessary demands on resources.
These can be corrected by restructuring the software, caching it, configuring the various components more finely or using more appropriate technologies.

Quality audit

This is an audit of good practice to ensure the application is managed over time.
Beyond the initial creation of a software application, it is important that its development respects good practices that will facilitate its management over time:
– Documenting the internal structure is essential if a development team that is not necessarily the original team is to be able to carry out maintenance (e.g. fixing bugs), development (e.g. monitoring legislation) or migration (e.g. transferring to a new information system) operations in less time and therefore at a lower cost.
– Structuring the application so that it can adapt more easily to increased workloads.
– Setting up development and qualification platforms to manage tests without impacting production.
– The use of version management software (subversion, git, etc.) to keep track of development and find out when a regression occurred, for example.
– Management of backups, their integrity and verification of restoration processes.

Audit Process

An audit takes place in several phases:
– The first consists of gathering information about the area to be audited, for example by setting up probes (e.g. use of CPU, memory and disk resources).
– The second consists of analysing this data to determine the critical points to be improved
– Then there is the advice phase, to suggest the best way of resolving the problems identified.
– Finally, the last verification phase consists of re-reading the information to assess the impact of the corrective solutions put in place.

Black Box / White Box

The “black box” consists of analysing the information leaked by your applications about the way they are designed.

This information makes it easier for malicious people to break into the application.

Here’s a quick parallel: if you’re a burglar with 2,000 master keys, each of which works on a particular safe, and you don’t know the make or model of the safe, you’ll have to test all 2,000 one by one.

The time loss will deter a number of attackers and allow the security system to detect the attack and block it. The attacker will therefore prefer to go to another, more verbose site.

This analysis is called “black box” because the auditor puts himself in the same position as an attacker.

The “white box” analysis is the opposite: the auditor is aware of the technologies used, the source code of the applications and their configuration. It will use this information to search for security flaws, known configuration errors for these technologies and compliance with best practice in terms of security in the application code.

If you need an audit on the security or performance of your website, Contact Ice Development