[OTish] Security Posture Review

As part of a periodic security review, I figured I’d poll fellow Lucee
users on their practices when it comes to things like penetration testing,
periodic scanning, automated code review, intrusion detection, and load
testing, especially in the context of smaller companies where the lines
between system administrators and system developers are necessarily
blurred. Are there any products or practices that you are using which you
would like to share with the community?

I feel that our mishmash of tools, while workable (OpenVAS, Ossec,
loader.io, Trustwave, FuseGuard, FusionReactor) could always be improved,
and while I know there are NetSec forums, I was interested in the practices
of companies using tools similar to our own.

Thanks!

This is a really interesting scanner I have been playing with…
https://subgraph.com/vega/
It is Eclipse RCP based, and allows you to write new scan tests in JS.

Also, ModSecurity is an invaluable tool, though incredibly underused,
misused and often unappreciated for it’s power, much like the Regular
Expression language that makes it so powerful.
http://www.modsecurity.org

Would love to talk more with other security minded nerds on this stuff as I
have dug deep in this area the past couple years and very much enjoy it.

Mike.On Tuesday, February 24, 2015 at 3:16:30 PM UTC-6, Juan Aguilar wrote:

As part of a periodic security review, I figured I’d poll fellow Lucee
users on their practices when it comes to things like penetration testing,
periodic scanning, automated code review, intrusion detection, and load
testing, especially in the context of smaller companies where the lines
between system administrators and system developers are necessarily
blurred. Are there any products or practices that you are using which you
would like to share with the community?

I feel that our mishmash of tools, while workable (OpenVAS, Ossec,
loader.io, Trustwave, FuseGuard, FusionReactor) could always be improved,
and while I know there are NetSec forums, I was interested in the practices
of companies using tools similar to our own.

Thanks!