In a time where digital security is increasingly crucial, protecting online websites takes precedence. This research, conducted by Furkan Kizilbayir as part of his study in ‘BSc in IT – Cyber Security & Cloud’ at Hogeschool Utrecht, focuses on developing an online security check. The aim is to raise awareness among potential customers about vulnerabilities in their public domains, such as web applications accessible via the internet. Utilizing Open Source tools, this project endeavors to generate comprehensible security reports. This article provides an in depth exploration of the research, its findings and implications for digital security.
Online Security Check - Project
Project description
LinProfs faces the challenge of enhancing the security of its IT infrastructure and raising awareness among potential customers about security risks. To address this, LinProfs introduces a new service: ‘an online security check for websites’. This service provides potential customers with rapid insights into the security status of their public domains using Open Source tools for automated security scans and report generation. The goal is to integrate this functionality into the website of LinProfs, enabling potential customers to quickly access this important information.
Aspects & criteria tool
The research has identified the aspects of security scans for public domains, as well as the criteria essential in selecting Open Source tools. For public domains, a precise definition of the scanning scope is crucial, along with compliance with regulations such as GDPR and the OWASP Top 10. A comprehensive approach to security and vulnerability aspects, supported by a community for assistance, contributes to an efficient scanning process.
When selecting Open Source tools, various criteria must be considered. These include vulnerability testing, compliance with regulations like GDPR, ISO 27001 and ISO 27002. Additionally, factors such as scan speed, efficient resource utilization, community response time, update frequency, maintenance and integratability play significant roles.
Ethics, privacy and law
When implementing the security check on the website of LinProfs, various ethical, privacy and legal considerations are crucial. Ethical considerations, aligned with international standards such as the ISO 27000 series, include ensuring the Confidentiality, Integrity and Availability (CIA) of the service. Several verification methods, such as adding a TXT record, placing an HTML file on the web server and inserting a meta tag in the HTML code of the homepage, are employed to verify the domain’s authenticity.
Here is a summary of the GDPR privacy rules for compliance during the development and implementation of the security check:
- User Consent (Article 6 of the GDPR): Clear communication about the purpose of the security check is required to obtain user consent. This goes beyond a simple checkbox on a website and may include educational elements to raise awareness among users.
- Data Minimization (Article 5(1)(c) of the GDPR): No personal data is collected during the security check, ensuring the complete protection of user privacy. All generated reports are immediately deleted after download to prevent the storage of personal information.
- Security Measures (Article 32 of the GDPR): Necessary measures are implemented to ensure the integrity and confidentiality of data, including the secure transmission of reports.
- Retention Policy (Article 5(1)(e) of the GDPR): Compliance with legal requirements and user expectations dictates that generated reports are deleted immediately after scans to enhance data protection.
- Compliance with User Rights (Articles 15-21 of the GDPR): Proactive measures are taken to comply with user requests, such as providing accessible security reports after domain verification.
Legal requirements, such as obtaining user consent, establishing liability, and drafting clear terms of use, must be complied with to meet legislation such as the GDPR. This includes preparing terms of use with specific provisions regarding the scope of the service, data collection and usage, confidentiality and security, and liability, as supported by the ISO 27000 series.
Security scanning tools
During the research, various Open Source tools were identified for performing security scans and generating reports. This selection involved an analysis of sources such as official websites, forums and technical documentation. The following tools emerged:
- OpenVAS: OpenVAS was chosen for its reputation as an Open Source vulnerability scanner with a community that frequently contributes.
- Wapiti: Wapiti was selected for its ability to detect vulnerabilities in web applications.
- Arachni: Arachni offers a wide range of scan capabilities for web applications, making it a suitable addition.
- W3af: W3af was chosen for its popularity and extensive functionality as an Open Source web application security scanner.
- ZAP: ZAP was chosen for its reliability and user-friendliness in scanning web applications.
- Nessus (Essentials): Nessus (Essentials) was chosen for its comprehensive scanning capabilities and detailed reporting functions for analyzing security risks.
- Acunetix: Acunetix is a web vulnerability scanner with advanced scanning capabilities and reporting functionality.
- Probely: Probely offers advanced scanning capabilities and a user-friendly interface, making it suitable for identifying vulnerabilities in web applications.
- Invicti: Invicti provides vulnerability analysis in web applications, with advanced scanning capabilities and comprehensive reporting features.
Given the limited number of available Open Source tools, some paid options such as Acunetix, Nessus, Probely, and Invicti were considered. This was necessary to gain a comprehensive overview of all available options for security scans. They have been analyzed and identified as viable options for further evaluation.
Each tool has been meticulously assessed based on criteria such as performance in vulnerability testing, compliance testing, scan speed, resource usage, community response time and integrability.
Secure integration options
The security scanning and reporting functionality on the website of LinProfs have been integrated through a custom WordPress plugin using the ZAP API. This solution provides users a streamlined and secure experience.
Key to this integration is the implementation of various domain verification methods such as TXT records, HTML files, and meta tags to confirm the authenticity of the domain and prevent unauthorized access.
Reports are securely delivered via unique download links that are valid for a single use, requiring user authentication. This ensures the confidentiality of the data and restricts access to authorized users only.
The plugin itself incorporates advanced security measures including restricted access to the plugin directory, thereby enhancing the overall security of the LinProfs website.
Furthermore, significant attention has been given to user experience with a user-friendly interface featuring clear navigation, step-by-step guidance, and fast loading times, enhancing accessibility and user trust. Clear instructions are provided to users needing assistance with the technical aspects of domain verification.
Conclusion
After a thorough evaluation of available Open Source tools and integration possibilities, the conclusion has been drawn that the development and implementation of a custom WordPress plugin with the ZAP API provides a suitable solution for LinProfs. This strategy enables them to effectively conduct security scans and generate detailed reports. The plugin ensures a secure experience for users, maintaining service integrity through rigorous domain verification and confidential report delivery via unique download links. By adhering to ethical, privacy and legal guidelines such as GDPR, LinProfs enhances its position as a trustworthy partner in cybersecurity.
Explore more about our interns’ assignments and their impactful contributions. Click here to learn more!
EN_GB
Comments are closed