In the last 6 months, I have noticed that there is an exponential increase in hacking activities specially targeted to CMS based websites i.e. Wordpress and Joomla. Both these platforms offer business owners a comfortable base to built application within no time.

Security study has again proved that most of the web application security attacks (approx 85% as per Gartner and NIST) are generated from application layer. It has always been a challenge for developers to validate parameters in URL, HTTP header, HTP request and non-editable fields on the page.

Many times I have encountered a problem with projects where large scanning of network host is required. In that case, you simply cannot expect your consultant to scan each host individually, analyze output and list down all vulnerable ports/services. Yes..we can even detect open ports with Nessus but still it has a host limitation per scan.

In the process of automating network scans for large networks there is a necessity to automate Nessus scans as well. The major advantage and most important point of this automation is that it allows you to do a Schedule scan in Home Feed version (which is only available in Pro feed) and the easiest part is your scans would run as if you are running from your Nessus web interface client.

The next step is to configure ModSecurity with OWASP CRS (Core Rule Set) rules.

We were motivated to write about it when few of our clients just instantly asked us about blocking all known malicious web attacks at web server level itself. We quickly suggested them an open source, reliable WAF solution that suffice to their requirement. Obviously, just installing WAF does not mean that you do not need application security controls.