how to know it is hacker safe
Moderator: General Moderators
how to know it is hacker safe
hi
I wrote a php webinterface in which I validate the user, and send data to and from a database and make use of sessions and hashing. I'm very new to php so it all was with help of forums and sample code. Now I've been approced by another company who would like to buy the code for a similar implementation they have.
My question is: how can I know my code is hacker safe. Are there some sort of certificate that you can get, or how can I otherwise know that my data is secure?
tx
I wrote a php webinterface in which I validate the user, and send data to and from a database and make use of sessions and hashing. I'm very new to php so it all was with help of forums and sample code. Now I've been approced by another company who would like to buy the code for a similar implementation they have.
My question is: how can I know my code is hacker safe. Are there some sort of certificate that you can get, or how can I otherwise know that my data is secure?
tx
truthfully, i don't think there is any sort of certification. they will just have to take your word for it.
but if you want to see based on the responses from other developers, the best way to see if it really is hacker safe is to post the code. at least the portions you are uncertain about. delete sensative informatoin such as actual username/password/hostnames from it as you would then just be opening yourself up.
if you are worried about posting your script here because you are afraid they coudl use something in it to gain access to your site, well u probably aren't that secure to begin with. but if you are worried about someone stealing your code, i think there are license polocies and all kinds of other stuff that prevents them from doing so and abeing able to sale it without your concient. may want to check with someone else on that though.
all in all though, no one is really hacker safe. if a hacker wants to gain access to your site, he/she will. the best thing you can do is try to make your code as secure as possible, and make the hacker's point of entry be through the server's vulnerabilities, not your scripts'.
but if you want to see based on the responses from other developers, the best way to see if it really is hacker safe is to post the code. at least the portions you are uncertain about. delete sensative informatoin such as actual username/password/hostnames from it as you would then just be opening yourself up.
if you are worried about posting your script here because you are afraid they coudl use something in it to gain access to your site, well u probably aren't that secure to begin with. but if you are worried about someone stealing your code, i think there are license polocies and all kinds of other stuff that prevents them from doing so and abeing able to sale it without your concient. may want to check with someone else on that though.
all in all though, no one is really hacker safe. if a hacker wants to gain access to your site, he/she will. the best thing you can do is try to make your code as secure as possible, and make the hacker's point of entry be through the server's vulnerabilities, not your scripts'.
hi
i'd love to post my code here, though i think it is a little too much and few people would take the effort to go through it. i'm not too worried about copyright, it's all pretty standard stuff and few people would have use for it anyway.
are there some tips somewhere that contain do's and do not's about writing webbased script, i'm sure i've made a few basic mistakes just by not knowing the correct way...
i'd love to post my code here, though i think it is a little too much and few people would take the effort to go through it. i'm not too worried about copyright, it's all pretty standard stuff and few people would have use for it anyway.
are there some tips somewhere that contain do's and do not's about writing webbased script, i'm sure i've made a few basic mistakes just by not knowing the correct way...
you could take a look at this : http://pdos.lcs.mit.edu/cookies/pubs/webauth:tr.pdf for Do's and Don'ts in Web application programming
I don't think you should be considering paid work installing sites with secure login systems: if you have to ask, you're not ready. If it all goes wrong it could be very bad for your professional reputation, not to mention whatever harm might be done to the company concerned.
In saying that, I don't want to discourage you from learning about it. You'll get a lot of help on this forum and I'd post a few security tutorial links myself but I'm away from home and don't have my bookmarks - leave a pm for me if you want some more info when I get back.
In saying that, I don't want to discourage you from learning about it. You'll get a lot of help on this forum and I'd post a few security tutorial links myself but I'm away from home and don't have my bookmarks - leave a pm for me if you want some more info when I get back.
-
microthick
- Forum Regular
- Posts: 543
- Joined: Wed Sep 24, 2003 2:15 pm
- Location: Vancouver, BC
What a great article.cybaf wrote:you could take a look at this : http://pdos.lcs.mit.edu/cookies/pubs/webauth:tr.pdf for Do's and Don'ts in Web application programming
Bookmarked and printed.
I usually look at my code in an open source-attacker sort of way. I imagine someone released this peice of software to the world, and I was hired by the company to try my hardest at breaking into the script or doing something malicious and wrong.
I believe some software companies do this also. Not in the sence that the programmers themselves try to hack their own code, but hire others to sniff through bugs. Sometimes people pick up on things you don't and vice versa.
Anyway, after trying to break into the system anyway you know how, and failing, I think it should be proff enough your script is secure. =)
I believe some software companies do this also. Not in the sence that the programmers themselves try to hack their own code, but hire others to sniff through bugs. Sometimes people pick up on things you don't and vice versa.
Anyway, after trying to break into the system anyway you know how, and failing, I think it should be proff enough your script is secure. =)
-
microthick
- Forum Regular
- Posts: 543
- Joined: Wed Sep 24, 2003 2:15 pm
- Location: Vancouver, BC
Here's another good whitepaper showing how adversaries may use SQL injection to hack your site.
I'm using this to test my own apps now.
http://www.appsecinc.com/presentations/ ... ection.pdf
I'm using this to test my own apps now.
http://www.appsecinc.com/presentations/ ... ection.pdf