Category Archives: computer

7 SaaS Web Vulnerability Scanner for Continuous Security 7 SaaS Web Vulnerability Scanner for Continuous Security

Detect security vulnerabilities before anyone do by cloud-based web scanner.

Cyber attacks are increasing and projected to cost $2 trillion by 2019 to the business globally. The good thing is you can manage this risk by using right infrastructure, tools & skills.

Thousands of online business get attacked every day, and some of the largest hack/attacks happened in 2016.

  • Dyn DDoS attack – caused many websites to go down including Netflix, SoundCloud, Spotify, Twitter, PayPal, Reddit, etc.
  • Dropbox hack– millions of user accounts were compromised
  • Yahoo – data breach
  • Ransomware – number of ransomware attacks

A latest Cyber risk report by HP reveal that 35% of tested applications had at least one critical or high vulnerability.

Hacker uses multiple techniques to attack web applications, so you got to use the scanner which detects a significant number of vulnerabilities. And for continuous security, you need to scan your website regularly, so you know the first for any vulnerability.

The following are cloud-based web vulnerability scanner, so you don’t need to install any software on your server.

 

Detectify

Detectify checks your website for more than 500 vulnerabilities including OWASP top 10. You can integrate Detectify in your non-production environment, so you know and fix the risk items before going to production.

Detectify is trusted by thousands of company including Trello, King, Trust Pilot, Book My Show, Pipedrive, etc.

You can run an unlimited test on demand or schedule regularly to scan your website. Post scan, you can export the report as a summary or full report, and you also have an option to integrate the following.

  • Slack, Pager Duty, Hip Chat – get notified instantly
  • Trello – get results in Trello board
  • JIRA – create issue whenever problem detected
  • API – integrate with your API
  • Zapier – Automate workflow with zapier integration

All findings are listed in the dashboard so you can drill-down to the risk item and take necessary action.

Along with common web vulnerabilities finding, Detectify offer CMS security to WordPress, Joomla, Drupal, Magento. This means CMS particular risk is covered.

This quick 2-minute video will get you started.

So go ahead and find security risk before hacker do. You can get it started with 14-day free trial.

Acunetix

Acunetix offers on-premises security scanner to run from Windows as well as a cloud-based scanner.  Acunetix crawls and scans your website for more than 3000 vulnerabilities on almost any type of websites.

Acunetix uses multi-threaded fast crawler and scanner, so your web operation is not interrupted during the scan.

If you are using WordPress, then they got unique scan feature to check for more than 1200 plugin and misconfiguration.

Acunetix analyzes website code/configuration during a scan and points out the vulnerability in the report with actionable information.

Qualys

Qualys is one of the most traditional security platforms which offers not the just the web scanning but the suites of solution like:

However, in this article, will focus only on Web Application Scanning (WAS).

Qualys WAS is end-to-end scanning solution to find website vulnerabilities and misconfigurations. You can automate the scanning and get notified whenever risk found.

You can leverage dynamic deep scanning feature where you specify the network IP range and let Qualys discover the web assets.

Not all vulnerabilities are critical or high-risk, so you can prioritize them by severity and take action accordingly.

You can sign-up for trial to explore the Qualys WAS.

Netspaker

Netsparker cover a large number of security checks including:

  • Source code/database/stack trace/internal IP disclosure
  • SQL injection
  • XSS, DOM XSS
  • Command/blind command/frame/remote code/ injection
  • Local file inclusion
  • Open redirection
  • Web backdoor
  • Weak credential

If your website is password protected then you got to specify the URL, credential and Netsparker will automatically do the necessary to execute the scan.

It’s built for an enterprise that means you can scan 1000s of the website simultaneously. Netsparker also got Desktop version for Windows.

Fortify

Fortify on Demand by HP Enterprise is security testing and vulnerability management platform. You can manage entire security from the centralized dashboard in five steps.

You can manage complete security from the centralized dashboard in five steps.

  1. Initiate
  2. Assess
  3. Report
  4. Remediate
  5. Retest

Not just web based application but with Fortify, you can scan Mobile application as well. Fortify provides you detailed easy to understand report.

  • Executive summary of the scan

  • Issue breakdown by rating & category

  • Item breakdown by OWASP Top 10
  • Item breakdown by analysis type

So don’t ignore anything and test everything with Fortify on Demand. You can get it started with a FREE trial.

Scan My Server

Scan My Server is powered by Beyond Security offer free security testing for blog and websites. If you are looking for a FREE solution, then this would be the best deal.

Scan My Server check your website for many vulnerabilities including:

  • XSS
  • Malware
  • SQL injection
  • HTTP header injection

You can schedule the scan to run weekly or monthly and get notified of any finding. Vulnerability Summary is categorized in High, Medium and Low risk level.

Hacker Target

Hacker Target is different than above listed. They host open source vulnerability scanner and offer you to run a scan against your website.

They have 12 different scanners which you can utilize under simple membership plan. Sounds perfect if you want to use open source scanner but don’t want to host on your own.

To find a vulnerability, the following offering tool would be useful.

  • Nikto – check your website for more than 5000 vulnerabilities and misconfiguration which could expose to the risk.
  • SSL Injection Test – testing using SQL map tool against HTTP GET request.
  • WhatWeb Scan – to fingerprint the web server and other technologies used to build the web application.

The above-listed SaaS (Software-As-A-Service) integrate with your web applications to find vulnerabilities for continuous security. They are essential to any online business, so you fix them before someone leverage those weak points to hack it.

If you are using WordPress, Joomla, Magento, Drupal or any Blogging CMS then you may be interested in protecting your website from online threats by using cloud-based security provider, such as – Incapsula, CloudFlare, SUCURI, etc.

The best multisignature wallets for 2016

Standard Bitcoin transactions only require one signature, from the owner of the private key associated with the Bitcoin address. However, the Bitcoin network supports much more complicated transactions, which require multiple signatures to authorize.

Bitcoin multisignature addresses can have up to 15 associated private keys, although the most common is 3. The idea is that Bitcoins become “encumbered,” requiring the cooperation of separate parties in order to do anything with them. In a typical multisig situation, 2 out of 3 key holders need to authorize a transaction.

While a multisig wallet may not be the best choice for every bitcoin user, there simply isn’t a substitute when security is the primary concern. They let 2 people from the same business complete a third-party payment; one person generates a transaction while a second authorizes the payment. They also allow individual users to implement two-factor authentication, where one key is on your primary computer and a second is on your smartphone, so the funds cannot be spent without a signature from both devices.

P2SH.info keeps track of the number of bitcoins being held in ‘pay to script hash’ addresses, which account for most of the multisignature addresses is use. According to the service, about 10 percent of all bitcoins are currently being held in multisignature wallets, or 1.5 Million bitcoins today.

This means that only 10 percent of all existing bitcoins, at most, are being secured as well as they could be. If you’ve got a large stash of coins, and aren’t one of those 10 percent, it may be time for you to pick one of the many wallets that provide multisig security.

The following 13 wallets are the only ones we could find today that offer multisignature addresses, and still appear to be supported. All have differing features, as they seem to solve slightly different problems, so it’s worth taking your time when choosing one.

Armory and mSigna assume that you aren’t as safe as you can be without a local copy of the whole blockchain. While this is true for a very specific type of attack, it’s over 50 Gigabytes in size, and keeping it up to date means running the local machine 24/7. Other wallet makers vary in how they remotely sign transactions, while some don’t sign it at all, giving you all of the keys. Each of these differences need to be carefully considered.

Armory is the original high-security wallet, developed way back in mid-2011. It has many unique options, but they can be more than a little overbearing for new users. It requires a local copy of the blockchain to be on the same machine, and it specializes in splitting your wallet in two. The ‘watch-only’ wallet has no private keys inside it, while the ‘cold wallet’ is intended to live on a different computer that never goes online.

There is no web portal nor signing service with Armory, but the wallet can be configured with up to 7 keys. It’s also the only wallet here to help you make paper wallets, for storing your coins totally on paper, even multiple pieces of paper for multisignature wallets.

Bitalo is a web-only wallet, and one of the least-known services on this list. Its lack of an open-source software client likely scares away quite a few of the security purists, but it comes with a full suite of adjoined services like an exchange, marketplace, classifieds, mining pool, and even a prediction market – which are all integrated with your wallet service on their site.

Bitalo allows for an optional 2-factor authentication, but if you don’t turn it on you won’t have any way for them to sign their key for you, so it’s a necessity when dealing with multiple keys.

BitGo is one of the very largest wallet providers no matter how you measure. They also offer free insurance to all users in case of a hack.

You may find yourself using a BitGo wallet without even knowing it, as they are the only wallet on this list that integrates into third-party bitcoin exchanges and other financial services.

Block.io is a simple web-only wallet that also holds a few other altcoins like Doge and Litecoin, and has a very well-developed API for programmers. Unfortunately, they don’t offer an open source client, nor allow you to generate your own private keys locally.

Block.io uses ‘Green Addressing,’ which is a way to build up a sort of white list for familiar bitcoin addresses, which will save you money on transaction fees if you’re a repeat sender. Although nothing has been proven wrong about this practice, there have been many criticisms about green addressing over the years, and some point to the fact that many services in the past that used it, including Mt.Gox, are now out of business.

Blocktrail is a popular mobile wallet with a pretty, open source phone app that keeps one key and gives you two, so you can back one up off the phone and have full control when you need it. Two-factor authentication is optional.

When it’s time to spend some coins on Blocktrail, it sends your one signed key and then a password to them that unlocks your encrypted key that they’re holding onto, on the server, just for the one spend. That way they never really have any of your keys, but they hold onto one that is encrypted from them. This can be very secure but it relies on you remembering a password for this extra layer of security.

The most popular wallet on the list by far, Coinbase is more than a wallet service, it’s like a bank and exchange all rolled into one, with local websites and bank connections in 30 countries worldwide.

There is no such thing as anonymity while using Coinbase, and their client code is not open source in any way. They normally offer Insurance to their customers, but in the case of Multisignature “vaults” as they call them, they don’t offer insurance anymore because they don’t have full control over your coins that way. They do offer some interesting combinations for their multisignature addresses though, up to 3-of-6 with a variety of options for two-factor authentication on top of that.

The best reason to use Coinbase would be for the convenience of using their Shift debit card, but it does not appear that the Shift card will spend coins from a multisignature vault, only a normal wallet inside your Coinbase account.

Coinkite is a unique wallet in that it has the most options to experiment with, a powerful API and even tools and hardware for merchants. Starting with their ability to go all the way up to a 15-of-15 multisignature wallet, to integration with the Ledger hardware wallet, you can make a very safe and full-featured wallet with Coinkite.

It’s only a web-based wallet, but the helpful company built around it and numerous options on their website make it seem like a full enterprise solution, even just for an individual’s wallet.

Copay is a simple but very well-built wallet, that is available on many different platforms. It was developed specifically for multisignature use by the BitPay development team, and you can build and use up to 6-of-6 address wallets. They’ve even integrated the Trezor and Ledger hardware into Copay already.

They have added secure payment verification to these sleek little wallets, so especially while moving your funds, there is less reason to fear losing them by sending them to the wrong address.

Electrum is the most popular desktop-only wallet and the first to use Simple Payment Verification (SPV) as described by Satoshi in his whitepaper. That means that it only downloads the header for each block, which doesn’t take long at all, so it’s more secure than a web wallet while being almost as fast to use.

This high-privacy wallet has a reputation as the wallet of choice for the dark web, and has been constantly developed since 2011. It has the most hardware wallets integrated of all wallets, and it’s enjoyed a huge following ever since before it was included as the standard privacy wallet on all Tails installs.

It’s also the only desktop-only client software that uses a 3rd-party service for key signing. TrustedCoin is a service provider that has been integrated into the software so that you can optionally choose a specific but powerful level of security. They call this two-factor authorization,  but it’s actually an instance of a 2-of-3 key multisignature wallet where TrustedCoin holds the 3rd key, you hold the other two, and they charge you a tiny fee to spend with them each time.

GreenAddress is a popular wallet that has some great features that no one else has picked up yet. For starters, it’s got the widest array of customizable ‘triggers,’ which tell the software when it’s ok to sign your transaction with their remote key. It’s also the only wallet that has been developed for every major platform, so it’s optimized for whatever device you’re using now.

As their name implies, they use green addresses to help save on your transaction fee costs. That can be a mixed blessing, but so far this wallet is building up quite a following and has even spun off a colored-coin wallet called GreenBits.  With hardware support for both the Ledger and the Trezor, no other multisig wallets come as well-rounded as this one does.

mSIGNA is the other ‘old school’ desktop-only wallet that uses a local blockchain, much like Armory does. It lets you make up to 8-of-8 key multisignature wallets though. Unlike Armory, you can generate a seed phrase to backup your wallet in a different way if needed.

The local blockchain appears to be an optional setting however, and in stark contrast to Armory, opening up the mSIGNA client can be a very speedy for a local software client.

Huobi’s QuickWallet is mainly only popular in China, but offers an English version that has some strong features. This web-only wallet doesn’t appear to have made its code open-source anywhere, although it may have been programmed in Chinese  and simply hard to find.

It’s the only wallet here that requires using Google Authenticator in order to have their key sign your transactions, which makes the service less anonymous because Google needs a phone number for that service.

Finally, Xapo is another popular bitcoin bank similar to Coinbase, and therefore needs your full identification. Xapo is, however, one of only two on our list that offers insurance on a multisignature wallet account.

There are many different trigger choices for initiating a spend, but multisig wallets are limited to only 2-of-3 keys. A Xapo debit card is also available, like Coinbases’ Shift card, but it can’t be shipped to US residents.

Improve your Website Security with SSL/TLS Certificate

Security is essential for any website to build the trust of visitors and for better ranking. It’s necessary for the transactional or membership based website so you encrypt the sensitive data from a client to a server.

HTTPS would also boost the search engine ranking so you may consider having this for your blog as well.

If you are looking to have certificate implemented on your website without spending $$$ then here are few Certificate Authority house (SSL providers) to help you with that.

Following acronyms are used below.

  • SSL – Secure Socket Layer
  • TLS – Transport Layer Security
  • CDN – Content Delivery Network
  • DV – Domain Validated
  • ACME – Automated Certificate Management Environment

1. Let’s Encrypt

Let’s Encrypt is a collaborative project with Linux Foundation and new certificate authority sponsored by Mozilla, Akamai, SiteGround, Cisco, Facebook, etc. which offers SSL Certificate in free.

This is great to save cost to get it implemented in a non-production environment.

It’s automated that means you don’t have to spend time in creating CSR and send to CA authority to get it signed. It all happens in the background on your web servers.

letsencrypt

2. Comodo

Comodo offers free SSL at zero cost for 90 days. This is a good fit if you are looking to play around no how SSL works or some short-term project.

Get your free SSL cert issued in minutes with highest strength and bit encryption. All major browsers recognize Comodo issued certificates.

comodo

Update: SSL.com also provide free SSL for 90 days.

3. Cloud Flare

Cloud Flare is CDN & Security Company. They make your website faster and secure. Cloud Flare power many popular sites including Reddit, yelp, Mozilla, StackOverflow, etc.

cloudflare-marketshare

Recently, Cloud Flare announced universal SSL in free for all the users. That’s right even if you are in the free plan. If you are using Cloud Flare and SSL is not yet activated then here is how you can do it quickly.

  • Login into Cloud Flare
  • Select the website you want to enable SSL
  • Click on Crypto icon
  • Ensure it’s configured as “Flexible” and status shows as “ACTIVE CERTIFICATE”

cloudflare-enable-ssl

It may take few seconds to go live, you can verify by accessing your website with https.

4. StartCom

StartCom gives free certificate for personal use. In order to get the cert, you need to validate the domain ownership.

startssl

You can have unlimited class 1 DV SSL certificate in free! Good for personal website/blog.

5. WoSign

WoSign is another authority to provide a certificate for 2 years without any cost. It supports SHA2 algorithm. “WoSign CA Free SSL Certificate G2” issues a cert.

wosign

6. SSL For Free

SSL For Free use Let’s Encrypt ACME server by using domain validation to provide you certificate. It’s 100% free and certs are issued within minutes.

sslforfree

30 Days Free

You may also obtain 30 days free trial from following certificate provider.

I hope above helps you in getting free SSL for your website/blog. Share this with your friends.

Setup Let’s Encrypt With Apache on Ubuntu 14.04

Let’s Encrypt is a new certificate authority that allows you to issue SSL certificates for free. You can now use SSL without any extra costs. When using an SSL certificate, all traffic between the client and the server is encrypted — which drastically improves your website security.

This guide covers the installation of a Let’s Encrypt certificate and automatic renewal on Ubuntu.

By the end of this tutorial you will have an Apache server setup on Ubuntu 14.04 with Let’s Encrypt.

Step 1: Prerequisites

You will need a Vultr SSD cloud server with Ubuntu 14.04 installed. You will also need a LAMP stack (Apache, PHP, etc.). If you do not yet have a LAMP stack installed on your Vultr server, please refer to the following knowledge base article: How to Install Apache, MySQL, and PHP on Ubuntu.

Once you have a working LAMP Stack on your Ubuntu Server, you can proceed with with installing Let’s Encrypt.

In order to generate and install your SSL certificate, you will need Git to clone the Let’s Encrypt repository:

$[ubuntu] apt-get install git
$[ubuntu] git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

This will download the Let’s Encrypt installer to /opt/letsencrypt.

Step 2: Generating a Let’s Encrypt SSL certificate

Let’s Encrypt verifies your domain by setting up a temporary web server process on your Ubuntu server. This process will run independently of your Apache server. After the SSL certificate has been generated, the temporary web server process will be automatically terminated by the Let’s Encrypt installer. The installer will then install your newly created certificate on the Apache web server.

$[ubuntu] ./letsencrypt-auto --apache -d yourubuntuserver.example

If you want Let’s Encrypt to generate an SSL certificate for even more domains, simply add those domains to the command.

$[ubuntu] ./letsencrypt-auto --apache -d yourubuntuserver.example -d mysslcertificate.example

This feature is very handy for securing your www subdomain. Right now, users who visit your website with the www prefix will get an SSL error. This kind of error will hurt your reputation. In order to resolve it, use a command like this:

$[ubuntu] ./letsencrypt-auto --apache -d yourubuntuserver.example -d www.yourubuntuserver.example

The Let’s Encrypt client will now create a Let’s Encrypt SSL certificate not only for yourubuntuserver.example but also for www.yourubuntuserver.example!

Step 3: Forcing SSL

You can now force your Apache server to route all HTTP requests to HTTPS. The best way to do this by creating an .htaccess file in your “www root” folder and appending the following rewrite code:

RewriteEngine On 
RewriteCond % 80 
RewriteRule ^(.*)$ https://letsencrypt.example/$1 [R,L]

All incoming traffic on the HTTP port 80 will now automatically be redirected to port 443, which utilizes your LE SSL certificate.

Step 4: Automatically renewing Let’s Encrypt certificates

As Let’s Encrypt is a free certificate authority, SSL’s can’t be provided for one year or longer. All Let’s Encrypt certificates are valid for 90 days. However, if you want to automatically renew them, this can be automated using a cron job. You can choose to renew certificates when they’re about to expire.

Open your crontab:

$[ubuntu] crontab -e

Append the following line to the crontab:

15 5 * * 5 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log

This cron job runs the /opt/letsencrypt/letsencrypt-auto renew command every Friday at 5:15 A.M. We have chosen to renew the certificates at this time because this is typically a period with little to no traffic on most sites. Therefore, visitors will not notice any delays because the server is under heavy load during the renewal and checking of all Let’s Encrypt certificates.

Your Ubuntu Server is now running a fully functional LAMP Stack and your website is using an SSL Certificate form Let’s Encrypt with automatic renewal setup.

It is possible to use more than one Let’s Encrypt SSL certificate on your server; simply follow step #2 again for each domain.

This concludes our tutorial, thank you for reading.