Best Cheap Web Hosting

How do you know that your hosted Web application or similar cloud environment is secure and resilient to attacks? Well, if you're like the seemingly majority of organizations, you look to the SOC 2 report of the hosting/cloud provider. SOC 2 reports replaced the former SAS70 reports and cover controls involving security, privacy, and availability. Each year, I review a dozen or so such reports as part of my consulting and security assessment services and they're quite in-depth providing worthy guidance on data center operations. But guess what? They tell you little to nothing about the technical vulnerabilities in your Web applications and servers. And guess what else? That's where the majority of your vulnerabilities are – at least according to the research that comes out every year.

So, when you or someone you've hired wants to test specific systems that are not under your direct control, what do you do? Ask your host/cloud vendors politely and hope they'll let you. Most vendors are okay with it but there are some out there who are absolutely against it. These companies will go to great lengths to keep people from scanning and testing systems hosted on their systems often in the name of minimizing the impact to their other hosted customers. It's "for the greater good", therefore, you just need to trust that all is well in their environment, on your systems, and in and around every other party that's involved. Ha! If hosted security were only that simple.

People are territorial. The last thing a CTO or network architect at one of these vendors wants is for an outside party to point out the flaws in his environment. It's like calling his baby ugly and people just don't take too kindly to that. Even if you approach this from the perspective of we just need to find the flaws before the bad guys exploit them in order to minimize our risks, people are still guarded. This is especially true if it's a third-party relationship, i.e. an outsider such as myself testing the security of a client's Web application that's hosted by a third-party. 

If you're wondering (or required to determine) where things stand with your hosted/cloud environment, security-wise, and you're not able to test yourself, ask the following questions:

• When was the last time you performed a full security assessment of the systems that involve our environment?

• Did you run Web-specific tests using Web vulnerability scanners?

• Can I see a copy of that report? (Vulnerability scanner reports won't cut it.)

• How can we test for Web vulnerabilities with user authentication? Some of the nastiest Web security flaws exist behind the login prompt. Is your vendor going to be provided login credentials to thorough scans and manual analysis? If not, who will?

• When's the next round of testing going to be?

If I were responsible for the security a Web application or similar online environment, I'd most certainly want to know how things look operationally. Again, that's what SOC reports are great for. Still, I know that the big vulnerabilities that are exploited and get businesses into the headlines don't typically involve physical security, user account management, data backups and the like. Instead, it's things like SQL injection, weak passwords, missing patches and other common technical weaknesses. People who assume that a clean (or abysmal) SOC 2 report is reflective of the true technical security posture of their full online presence are deluding themselves. I've heard these same concerns from data center auditors. There's a lot of confusion in the marketplace creating unnecessary - and prolonged - vulnerabilities that negate any perceived security audit benefits otherwise.

Don't fall into this trap. Do your vulnerability scans. Follow up with your manual analysis (penetration testing) to see what can be done and from what angles. And do this over and over again along with the SOC 2 (or similar) audits. That's the only way you're going to know where everything stands. Any other approach, even when your environment is hosted by someone else who proclaims to have things under control, is dangerous at best. Ask the tough questions of your hosting/cloud vendor(s). If they're not willing to let you test your own systems in their environment, make them do the dirty work (ideally by hiring a third party) and show that all's well. Otherwise, find another provider before your existing one's practices make you look bad.

About the AuthorKevin Beaver is an information security consultant, expert witness, writer, and professional speaker with Atlanta-based Principle Logic, LLC. Having over 26 years of experience in the industry and 20 years focusing on security, Kevin specializes in performing independent security assessments of Web applications and network systems. He has written 12 books on information security including Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he's the creator of the Security On Wheelsinformation security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at www.principlelogic.com and you can follow him on Twitter at @kevinbeaver.

Source: Dealing with hosting/cloud vendors who want to push their SOC audit reports on you