Q: What is WSSA - Web Site Security Audit?
A: WSSA website vulnerability scanner identifies your web site security risks by looking for weaknesses in your web site code, errors in your web server settings and by detecting the results of viruses, trojans or worms. WSSA does this by scanning your web site from the outside to find system and application vulnerabilities.
WSSA uses technology originally developed for large corporations but is designed, delivered and priced to help every web site owner evaluate and manage their web site security.
Q: Is WSSA a hardware or software solution?
A: WSSA is a service we host and maintain. There is no hardware required or software download or installation.
Q: What kinds of vulnerabilities does WSSA detect?
A: WSSA detects all three web site weaknesses:
1) Poorly coded web pages, database connections that allow access to private data or other problems in any other application that may be available on your web site or server. Examples of this are SQL injection, XSS (cross site scripting), Remote File Inclusion, PHP/ASP Code Injection, Directory Traversal and File Disclosure. WSSA tests for thousands of known exploits.
2) Viruses, trojans or worms. WSSA's test database contains 'fingerprints' to identify all of these. For example, malicious code may open up a TCP port for unauthorized access from the internet.
3) System mis-configuration. For example the system administrator may have installed a service using the widely known default user name or password, or may not have installed vital security updates/patches.
WSSA uses an extensive library of known security issues to comprehensively scan and detect vulnerabilities that are caused by the above three scenarios.
Q: How are SQL injection weaknesses discovered?
SQL Injection tests are done as follows:
- The web site is crawled.
- For every page on the web site, the scanner will determine if there are any dynamic paramters that can be used for attack.
- The list of pages with dynamic parameters are then checked for SQL injection by trying different attack methods.
Q: Does WSSA require installation of agents on the systems that are to be scanned?
A: No, WSSA does not require any software agents on any system.
Q: Isn't a firewall supposed to protect against all attacks originating from the internet?
A: A firewall is vital and protects networks, web sites, web servers and web applications from unauthorized access. However, if an attacker uses authorized access points, a legitimate IP address and a port which is meant to be open, just like a site visitor would, the firewall will not stop them. Your best defense is to find the weaknesses that may exist in your code, server or applications, and fix them
Q: Do I need both anti-virus software and WSSA?
A: Yes. Anti-virus software is designed to protect a system from incoming, known viruses, worms & trojans. WSSA is designed to locate weaknesses that could allow unwanted human access (and thus damage or loss of data) to your site. As such, WSSA complements anti-virus solutions in protecting your system.
Q: Does WSSA do repairs when vulnerabilities are discovered?
A: WSSA locates risks and recommends solutions that your webmaster will install and will test to ensure they are working properly. Solutions often involve updating software with patches provided by their developers, or changing settings to close ports that don't need to be open and some involve simple things like changing default passwords that were provided with new applications and accidently left in place.
Q: Does a WSSA scan look like an attack to an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS)?
A: As scanning is essentially a vulnerability assessment, WSSA sends out packets that are much like those used by a hacker. As such, an IPS/IDS in the network may report a WSSA scan.
Q: How do I cancel my account?
A: Just email Support@BeyondSecurity.com, or call: +1-800-801-2821. Your current service period will run to its end and then your account will be suspended. You can re-activate your account at any time.
About the Beyond Security Seal:
Q: What does the Beyond Security Seal cost?
A: The Seal is included in Basic and Advanced service levels. After you have completed your initial port scan and have resolved your risks, simply download and install the seal.
Q: How do I install the Beyond Security Seal on my web site?
A: Your Web developer or Web site administrator can download the seal script from your WSSA account and add it to the appropriate pages.
Q: How soon will the Beyond Security Seal display on my site?
A: The seal is easy to install and will display soon.
Q: How can I get the best results with my Beyond Security Seal?
A: Display the Beyond Security Seal on every page where you ask a visitor to enter personal data or a password. Also, displaying the seal on your home page will encourage visitors to start shopping.