I have been involved in IT and security in one way or another for almost 30 years. I have worked full time for organizations and consulted in a wide variety of jobs and responsibilities. But one of the common issues I have seen and been part of is having a handle on what all of our domains are doing and how they are maintained. This problem becomes even worse when we attempt to determine where we should spend our limited security resources. So what do we do about it? (Hint: Secure Ideas is releasing a new product! <grin>)
A friend and customer of mine approached us last year with precisely this problem. His organization had tens of thousands of domains that were managed by multiple teams throughout the organization and hosted around the world at various sites and companies. What he needed was a scalable and fast mechanism to assess each site for security issues. This process had to run against tens of thousands of domains around the world without:
- Taking significant amount of time
- Causing issues with the assessed systems
- Violating terms and services of a vast variety of hosting and service providers
Let’s look at each of these requirements individually.
Not taking a significant amount of time: To get a proper triage of the risks and issues on public-facing domains, it is necessary to check these domains on a regular basis. It is also essential to get results as rapidly as possible. If it takes days to scan the systems, the results are not useful to an embedded testing process. As such, it is critical that the triage process runs in as speedy a manner as possible.
Our Scalable Web Application Triage (SWAT) product accomplishes this through two mechanisms. The mechanisms are scalability and asynchronous testing. By using serverless components via AWS, Secure Ideas has designed a system that can scale as needed while performing the tests. We will have a blog about this in the near future that explains the technology and how we made use of it.
Causing issues with the assessed systems: SWAT is designed (in its current version) to run against public-facing systems. This means that most of the domains will be hosting production systems so if the scanning causes issues, the scanning will need to stop. Especially since in some cases the security team doesn’t know who in the business owns the application. Secure Ideas also doesn’t want our scanner to be the cause of issues .
This means that all of our tests used for the triage have to be designed to have the highest confidence that they won’t cause issues. We evaluate each test to determine a few things:
- Benefit for triaging?
- What can we identify from the application?
- What impact does our scans have on the system triaged?
- Does it behave like an ordinary spider or does it do something hacky?
- Is it reliable?
- Are the results something we can depend upon?
Violating the terms of Service (ToS): The final thing we don’t want to have SWAT do is violate the terms of service for any of the targets or our hosting provider. As Secure Ideas scans the various target domains and applications, we need to ensure that nothing we do could be construed as a violation. We don’t want to cause political or organizational issues for ourselves or our customers.
To accomplish this, we do something that we have already explained. We try to ensure that all of our tests use requests that are similar to the variety of web spiders already wandering the Internet. We make simple requests and stay away from launching any attacks or things that will trigger an IDS.
So who needs this service? Well, I may be biased, but EVERYONE!!! Okay, maybe that isn’t right. <grin> But actually while any organization can make use of this service, we think there are a few specific types of organizations that would benefit this most. These are:
- Organizations with large numbers of domains
- Hosting companies
- IT Service organizations