how do you test a new site you had built for security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

tloftis
Forum Newbie
Posts: 21
Joined: Thu Apr 10, 2008 9:43 am

how do you test a new site you had built for security

Post by tloftis »

how do you test a new site you had built for security?

are any of you guys able to attempt to hack into it?

I want to make sure it is safe.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: how do you test a new site you had built for security

Post by Mordred »

Hire a professional pen-tester. There are two basic options to testing - blackbox (i.e. given only the URL) and whitebox (given the full source code). The two combined yield best results.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: how do you test a new site you had built for security

Post by onion2k »

Put it live and see what happens.



Oh, wait, no, that's just what my boss thinks is the right way.
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Re: how do you test a new site you had built for security

Post by Maugrim_The_Reaper »

Best thing you can do is educate yourself on the security risks associated with any PHP application. Failing that you could hire someone else who already does. Look for security definitions of SQL Injection, Cross Site Scripting, Code Injection and Session Hijacking to get yourself started.

I'd also be careful about inviting hacking attempts on an online site even if its yours - online attempts at hacking are technically illegal in many countries. In any case it's far more effective to give someone the source code to review than have them bumbling through forms reverse engineering how your underlying code probably works to create attacks.
tloftis
Forum Newbie
Posts: 21
Joined: Thu Apr 10, 2008 9:43 am

Re: how do you test a new site you had built for security

Post by tloftis »

where do you find a pin tester?
User avatar
The_Anomaly
Forum Contributor
Posts: 196
Joined: Fri Aug 08, 2008 4:56 pm
Location: Tirana, Albania

Re: how do you test a new site you had built for security

Post by The_Anomaly »

The Open Web Application Security Project (OWASP) has a great top ten security flaws in sites. Reading all about those top ten, and utilizing the resources OWASP provides can give you a real good start.
User avatar
The_Anomaly
Forum Contributor
Posts: 196
Joined: Fri Aug 08, 2008 4:56 pm
Location: Tirana, Albania

Re: how do you test a new site you had built for security

Post by The_Anomaly »

The Open Web Application Security Project (OWASP) has a great top ten security flaws in sites. Reading all about those top ten, and utilizing the resources OWASP provides can give you a real good start.
User avatar
The_Anomaly
Forum Contributor
Posts: 196
Joined: Fri Aug 08, 2008 4:56 pm
Location: Tirana, Albania

Re: how do you test a new site you had built for security

Post by The_Anomaly »

The Open Web Application Security Project (OWASP) has a great top ten security flaws in sites. Reading all about those top ten, and utilizing the resources OWASP provides can give you a real good start.
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: how do you test a new site you had built for security

Post by onion2k »

What we really need is a 'top ten' list of security flaws. If only someone would link to one.

:twisted:
User avatar
The_Anomaly
Forum Contributor
Posts: 196
Joined: Fri Aug 08, 2008 4:56 pm
Location: Tirana, Albania

Re: how do you test a new site you had built for security

Post by The_Anomaly »

Wow. I was very afraid that would happen. For some reason the site didn't load after I pressed submit, but it appears it submitted again and again. :(
What we really need is a 'top ten' list of security flaws. If only someone would link to one.

:twisted:
That's just wrong on so many levels :D
marcth
Forum Contributor
Posts: 142
Joined: Mon Aug 25, 2008 8:16 am

Re: how do you test a new site you had built for security

Post by marcth »

Unit Test. Google SimpleTest.

Edit: Or post a link to your site here :)
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: how do you test a new site you had built for security

Post by onion2k »

marcth wrote:Unit Test. Google SimpleTest.

Edit: Or post a link to your site here :)
Unit testing isn't a security measure. A unit test only makes sure the code does what you want it to do - if you have a flaw in your logic (which is the most common reason for a security issue) unit tests will happily let it through.
User avatar
The_Anomaly
Forum Contributor
Posts: 196
Joined: Fri Aug 08, 2008 4:56 pm
Location: Tirana, Albania

Re: how do you test a new site you had built for security

Post by The_Anomaly »

marcth wrote:Unit Test. Google SimpleTest.

Edit: Or post a link to your site here :)
Just today I'm actually get into Unit Testing, and I love the concept very dearly. However, how exactly would unit testing in particular be a solution to the question regarding testing a site for security flaws? I suppose you can make test cases for security situations, but from what I understand, the beauty of unit testing is that you can run and rerun them again and again to see if you broke something while refactoring. This would still apply in a security context, but not nearly as much as checking the site on a more global scale. For example, Unit Testing wouldn't protect the site from SQL Injection, nor would it check to see if he's not filtering a certain input.

EDIT: Bah, beaten.
marcth
Forum Contributor
Posts: 142
Joined: Mon Aug 25, 2008 8:16 am

Re: how do you test a new site you had built for security

Post by marcth »

onion2k wrote:
marcth wrote:Unit Test. Google SimpleTest.

Edit: Or post a link to your site here :)
Unit testing isn't a security measure. A unit test only makes sure the code does what you want it to do - if you have a flaw in your logic (which is the most common reason for a security issue) unit tests will happily let it through.
You are 100% correct. However, the original post said:
tloftis wrote:how do you test a new site you had built for security?

are any of you guys able to attempt to hack into it?

I want to make sure it is safe.
In my opinion, the best way to test the code for security vulnerabilities is via unit tests :)
User avatar
onion2k
Jedi Mod
Posts: 5263
Joined: Tue Dec 21, 2004 5:03 pm
Location: usrlab.com

Re: how do you test a new site you had built for security

Post by onion2k »

marcth wrote:In my opinion, the best way to test the code for security vulnerabilities is via unit tests :)
Right.. you mean like writing a test to make sure known exploits like an SQL injection don't work? Yeah, that would be quite sensible I guess. It wouldn't make your site secure per se, but it would check the security measures you have thought of are working.
Post Reply