“We know that there’s nothing more frustrating than getting a failure mark on your quarterly scan report.”
But did you know there are 10 reasons why you would automatically fail should the scan make any of the following findings?
- Operating system versions no longer supported by the vendor. Windows 2000, older Linux distributions. Unsupported, and therefore unpatched.
- Open access to databases from the Internet. All database connections should be safely hidden behind your firewall.
- Built-in or default accounts and passwords. If you’ve not changed the defaults, you’re in trouble.
- DNS servers that allow unrestricted DNS zone transfer. A configuration omission that leads to lots of information being leaked to an attacker.
- Unvalidated parameters that may lead to SQL injection attacks. A major cause of data loss and compromise, and very easy to prevent.
- Cross-site scripting (XSS) vulnerabilities. Another easy-to-fix issue that can be used to trick customers in to visiting fake websites and more.
- Directory traversal vulnerabilities. Another configuration or programming flaw that lets an attacker wander freely over your server.
- HTTP response splitting/header injection. A flaw enabling an attacker to hijack a user’s session or even launch other attacks such as cross site scripting.
- Remotely detectable backdoor applications installed on the servers. In this case, your system may already be compromised.
- Components that support SSL version 2.0 or older,OR that support SSL v3.0/TLS v1.0 with 128-bit encryption in conjunction with SSL v2.0.
Of course, there are many other security issues that an ASV scan could identify, however all of the above are considered automatic failures, a score which is common to all ASV companies.