secure

What is Pentesting, Vulnerability Scanning, which one do you need?

I get very often asked about these two concepts and I noticed that there is a lot of unclarity around these topics. At the end, I will tell you my own opinion and give you some advices.   Vulnerability scan Also known as Vulnerability Assessment, looks for known vulnerabilities in your systems and reports potential exposures. Vulnerability assessments are performed by using an off-the-shelf software package, such as Nessus or OpenVas to scan an IP address or range of IP addresses for known vulnerabilities. For example, the software has signatures for the Heartbleed bug or missing Apache web server patches and will alert if found. The software then produces a report that lists out found vulnerabilities and (depending on the software and options selected) will give an indication of the severity of the vulnerability and basic remediation steps. It’s important to keep in mind that these scanners use a list of known vulnerabilities, meaning they are already known to the security community, hackers and the software vendors. There are vulnerabilities that are unknown to the public at large and these scanners will not find them.   Penetration test (aka “pentest”) Designed to actually exploit weaknesses in the architecture of your…


No Image

How much is a blog instance worth?

I wrote in the post  Do you really know who’s visiting your website? about how often hackers probe my websites. IT Security News has of today this: 5,914 blocked malicious login attempts / was 2092 on May 8th 2,182 spam comments blocked by Akismet. / was 2115 on May 8th The login attempts more than doubled in just 5 weeks. Of course, they are all automated attacks, so we can’t really speak of an effort from anyone’s site.   Why ? If a hacker “owns” a website he is able to do a few things:  Change content and possible deliver malware to your readers Host individual “sub-pages” or “sub-websites” in your blog and reference them from email campaigns or post spams. Send mail from your blog to just anyone, but the worst is when it sends to your subscribers. All are very bad things as they ruin your website’s reputation and drives your visitors away. And they can happen all together or just any combination of them.   What can you do? It turns out that you can do quite a lot of things: don’t user the default admin account  (WordPress: admin) set a hard to guess password keep your blog and its extensions/plugins up to date don’t install…


%d bloggers like this:

By continuing to use the site, you agree to the use of cookies and to its Privacy Policy more information

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close