3. Security tools

Security tools

The topic of "Security tools" and the vagueness of the questions are way too open for a reddit comment.

From a basic approach standpoint, scanning tools are a reactive -and all too often useless- tool, and security needs to be a proactive process.

"Malware" just doesn't work on web servers like it does on desktop. The environments are too varied, as is the code and the form the malware takes. A compromised WordPress site may be getting its bad code from an injection into what used to be a legitimate plugin file. The only way to find the file automatically would be to diff the files against source, which really can't be done in practice with any regularity or reliability.

The form the malware takes may also not be apparent to scanning tools. Not every hacked site is delivering known viruses to their clients. It could be mining bitcoins, sending spam, or just waiting on the ready to partake in a DDOS.

So security is proactive. Configurations and understanding your potential attack surface matter. I would begin by looking into penetration testing. There are Linux distros dedicated to finding holes.

At some point, security and convenience will clash and compromises need to be made. Part of security is disaster recovery and having a plan to restore backups and what the process of cleansing looks like. Sometimes restoring from a backup won't be enough, if you're simply restoring hacked code.

How you handle 200+ websites depends on how much control you have. Are these sites on shared hosting servers run by another company? They're all insecure.

Are they hosted on a dedicated server you run? That's potentially better, but you're still placing everyone in the same pool.

Can you divide your customers into their own VMs? That's getting much closer to ideal.

TL;DR It sounds like a non-answer, but front-end scanning is useless. The best tool is understanding your attack surface and how to recover in the event of a breach.

/r/webdev Thread
Previous
Next

Recently removed from /r/webdev

UK gov bootcamps I made a custom CMS from scratch for close friends and family :) How to transfer data from old database to new one How hard is it to get a job? Really losing motivation reading horror stories for self-taught people Webflow vs Wordpress | Newbie questions I made a service to get updates for games that you are interested in Neumorphism — Tailwind Components ✨ Hypertext Magic help needed How to become a web dev? Yo - instead of making fun of people's ideas - HELP THEM OUT and give them feedback! Its 2023 why aren't people using async await. Stack Overflow Where can I find a web developer to ask basic html and css questions? anyone know why setTimeout in this example just waits 600 milliseconds and them logs everything at once instead of logging one then in 600 milliseconds it logs the next? my thinking was that since foreach loops over each element in the array I can pause it each loop but that doesn't seem to work

More Random Comments

Should I (27M) break up with my girlfriend (24F)? Kai Leng should've been a squadmate in Mass Effect 2 What’s the best way to use a Molotov cocktail against a tank? How lonely are you? Like really? My GF hates our sex life and I left. Now I think I have made a mistake. Zelenskyy: “The enemy does not have a single chance in this people’s war” Putin humiliated as Ukraine boasts of 3,500 killed and 200 captured - '100% under control' Link Inside Where can I buy a gold or silver chain that I can wear? I have some coins but want to wear my precious metals POV: you enabled options trading 48 hours ago What is * your * autism like? How do you politely tell someone they are talking too much? How to make a better education system Fuck this game and fuck From Software Hypothetically, if you were a real life master and had Boudica (Rider) as a servant, how would you go about beating Yagyuu Munenori (Saber), hypothetically? "There are only two types of men, but of course I chose the one wahmyns complain about! Tee-hee!" (forums.red x-post)