I'm working on a custom CMS app. To keep a long story short, this is the first app that I've built, my experience is limited, and this is a learning process for sure. Having said that, I'm really proud of it, and I'm getting a very positive response from the few that are using it. I would like to start sharing it with more people, and marketing it along with my design services. Here's the thing... I'm comfortable taking on the challenges that this project presents, and I'm comfortable answering for bugs and glitches that result from my inexperience. I'm not comfortable with user's data being unnecessarily vulnerable due to my inexperience. I hope this doesn't appear lazy. I've spent a ridiculous amount of time on this app and it's been a great experience so far. I'm just trying to be responsible and face my limitations. The more I learn about security, the more I realize I need to know and I would simply rather put my time into other areas of the app.
I'm considering posting the project on a website like elance or something similar but I'm having trust issues with this. I have a working login system and I don't need someone to put their name on a login script and sell it to me. My problem is I don't know how to expose vulnerabilities or audit the security. If I did, obviously I would be more comfortable with my own script. So I would be at the mercy of the developer I hire. Is outsourcing security like this common practice?
The other solution I was hoping to find is a third party app that manages authentication etc... Maybe something that I could just hook into with my application? I've done some poking around but I haven't really found anything like this. If something like this exists, I think it would be ideal. Though it may sound silly, I have this feeling like if I was paying for something on a regular basis, there would be a certain level of accountability that goes along with that. Also, if the third party app was specifically built for that purpose, I would expect more quality and reliability.
I know this question is a little broad, but any advice or direction that anyone could offer would be greatly appreciated!! Thanks to you all for your time!!
Outsource security for my web app?
Moderator: General Moderators
-
weismana81
- Forum Newbie
- Posts: 20
- Joined: Mon Feb 07, 2011 3:36 am
- flying_circus
- Forum Regular
- Posts: 732
- Joined: Wed Mar 05, 2008 10:23 pm
- Location: Sunriver, OR
Re: Outsource security for my web app?
You can farm out a security audit on your app in the end, but security is not an add-on object that can be added when the project is finished. You really need to follow best security practices before you write your first line of code.
If you want a good resouce, pick up the book "php|architects Guide to PHP Security" by Ilia Alshanetsky. It's small enough to not be intimidating, but is jam packed with good practice.
Other good websites to visit are owasp and phpappsec.
Good Luck!
If you want a good resouce, pick up the book "php|architects Guide to PHP Security" by Ilia Alshanetsky. It's small enough to not be intimidating, but is jam packed with good practice.
Other good websites to visit are owasp and phpappsec.
Good Luck!
-
weismana81
- Forum Newbie
- Posts: 20
- Joined: Mon Feb 07, 2011 3:36 am
Re: Outsource security for my web app?
Thanks for the advice and the resources! I guess I just need to suck it up and figure it out. Every time I look for shortcuts in development I end up regretting it anyway, so it's probably better I take the time and get it right. Thanks!!
-
nowaydown1
- Forum Contributor
- Posts: 169
- Joined: Sun Apr 27, 2008 1:22 am
Re: Outsource security for my web app?
I agree with the advice flying_circus gave you. You want security stuff to be part of your mindset for long term development. Otherwise, if you outsource it and have someone fix it for you, as soon as you start feature development again, you'll probably introduce new security issues. That said, I'll give a plug for Mordred here as maybe a good jumpstart for you. I've lurked on the forums for a few years now, and I've always agreed with the advice that he has given folks on security topics.
-
weismana81
- Forum Newbie
- Posts: 20
- Joined: Mon Feb 07, 2011 3:36 am
Re: Outsource security for my web app?
That looks like a great offer Mordred and I'll probably contact you in the future. I think I'll probably do some learning and do what I can to fix issues that I know of before I contact you in an effort to not waste your time with silliness. Thanks!!
Re: Outsource security for my web app?
A shorter alternative would be to just post your security problems/questions here, this is the purpose of this subforum.