You can't secure what you don't acknowledge.SM

Friday, September 7, 2007

How secure is your law firm's extranet?

Do you work for a law firm that provides a client Web portal that houses extremely sensitive case information (or other similar system that allows a client to manage their own data)? If so, chances are there are weaknesses in the system waiting to be exploited. Be it the commonly-used SharePoint or any other commercial or home-grown system, all it takes for someone with ill intentions to create a problem is a weakness in the login mechanism or login requirements, poor input validation (JavaScript and SQL statements), test files left loaded on the site - you name it - the possibilities are endless.

It doesn't matter if the application is "behind the firewall". It doesn't matter if it uses SSL for encryption. And it doesn't matter if all the software in use is patched with the latest hotfixes or service packs. The problems are at the application level and they're still there regardless of how hardened the environment is.

I bring this up because it's so easy for business managers to Web-enable anything and everything to woo their clients/customers. I'm seeing these types of Web vulnerabilities more and more. Business apps are cropping up on the Internet more and more - especially in the legal field. A lot of them are not being tested for security vulnerabilities in the slightest way. OK, some are being scanned with whatever freeware security scanner the network admin is familiar with, but that's not enough - not even close! Commercial OS and Web application scanners - and more importantly - manual testing is required to really figure out how Web portals such as this can be exploited.

There are so many complexities and variables in Web applications which, again, is one of the reasons I love testing software (see my related post on this). If you've got a law firm extranet or some other type of Web portal housing information you can't afford to have compromised, you've got to look at the environment from a malicious attacker's perspective. Test and test again - now and as long as the system is publicly-accessible. The Web application flaws will eventually be found by someone - might as well be you!

No comments:

Post a Comment