Security report handling

A guide to Security report handling

A security report is a report outlining various potential security risks with an application or web setup. Security reports can come from various sources like security researchers, automated security scanning companies and bug bounty programmers doing penetration testing (Pen Testing). At DynamicWeb we are committed to helping you avoid potential security issues, and in this guide we will go through some of the steps you can take to ensure that you're well prepared for any pen testing.

Please note:

• Automated security scans conducted before a site is fully set up in relation to security settings, may produce reports indicating security flaws, which may not be a problem when examined
• Misconfigurations such as inadequate permission configurations, default settings, or incomplete security setups can often trigger false positives in security scans
• Many potential security issues may also come from outdated system components or other infrastructure components

As such, it is imperative that you make sure to setup DynamicWeb, your server, and any other components before penetration testing. Enhance security measures to their utmost capacity for optimal protection.

DynamicWeb initial security setup

Here are our recommendations for an initial security configuration:

1. Check the security settings and make sure all relevant settings are active and enabled. Pay special attention to settings in:
   • Forms
   • SQL injections
   • Security headers
2. Check the password security settings for backend and frontend users
3. Other important security parameters are:
   • Make sure that site is running a supported DynamicWeb release. This is to make sure the latest security updates are deployed, see our bug fix policy and security bug fix policy for details
   • Review any external components for potential security flaws. If in doubt, disable them before running the test
   • Check that the server is set up following current best security practices
   • Make sure the site has a valid HTTPS certificate
4. Use common sense:
   • In order to provide an accurate representation, the site should be in a state that mirrors the everyday setup, with maximum security activated
   • Areas anticipated to pose challenges prior to testing should be assessed and contextualized in terms of their influence on overall security. If necessary, these areas should be optimized before initiating the security test.

Testing

Once everything is set up optimally, the security scanning can be conducted, and the report generated.

Please note:

• Keep an eye on the security test to ensure it does not impact the site's availability and performance while it is running
• Don´t change the setup of the site while report is generated

Analysing security reports

Once you receive the report, read it thoroughly. This is probably the most important piece of advice:

• Often findings are categorized into different levels/category of severity - it is important to use common sense when analysing the report
• For each issue, consider the security impact and whether it has any relevance for the website, as some of the findings may consist of minor issues that have no significant impact on security.
• For each issue, check if the issues is due to misconfigurations, such as inadequate permission configurations, default settings, or incomplete security configurations as outlined above

If important security issues are detected in the report please report this to DynamicWeb Care Support.

Care Support will conduct an evaluation and risk assessment of potential security issues, classifying the issue according to severity on the CVSS industry standard, see our security bug fix policy for details, before confirming that we've received your report. Please note that in accordance to standard industry practice we will not release details regarding security fixes. You can see our resolution time frames here.

Security lifecycle

Remember to continuously maintain the security of a website and web application throughout its lifecycle. You should continually:

• Conduct recurring reviews and evaluations of the security measures to identify areas for improvement
• Conduct manual reviews alongside automated scans - this can help with verifying the accuracy of any automated findings and identifying the root causes of any flagged issues
• Updating security protocols as needed
• Stay proactive and act rather than react to evolving threats