re: If you were tasked to conduct a security audit on a server/database-backed web app, where would you start? VIEW POST

FULL DISCUSSION
 

You should check:

  • Web language security patches
  • Web framework security patches
  • Web application passes OWASP
  • Web server access
  • Database server access
  • Database users
  • Permissions for the users on the webserver
  • Contents of data (you could easily find spam if the web layer is insecure) on the database
  • If the servers are accessible from the web without a VPN or proper security (AWS has a good direction on that)
  • If the servers OS has the latest security patches
  • CVE's

For the majority, you will be dealing, very likely, with outdated servers and unauthorized access or improper permissions for user access.

code of conduct - report abuse