how do you test a new site you had built for security
Moderator: General Moderators
how do you test a new site you had built for security
how do you test a new site you had built for security?
are any of you guys able to attempt to hack into it?
I want to make sure it is safe.
are any of you guys able to attempt to hack into it?
I want to make sure it is safe.
Re: how do you test a new site you had built for security
Hire a professional pen-tester. There are two basic options to testing - blackbox (i.e. given only the URL) and whitebox (given the full source code). The two combined yield best results.
Re: how do you test a new site you had built for security
Put it live and see what happens.
Oh, wait, no, that's just what my boss thinks is the right way.
Oh, wait, no, that's just what my boss thinks is the right way.
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
Re: how do you test a new site you had built for security
Best thing you can do is educate yourself on the security risks associated with any PHP application. Failing that you could hire someone else who already does. Look for security definitions of SQL Injection, Cross Site Scripting, Code Injection and Session Hijacking to get yourself started.
I'd also be careful about inviting hacking attempts on an online site even if its yours - online attempts at hacking are technically illegal in many countries. In any case it's far more effective to give someone the source code to review than have them bumbling through forms reverse engineering how your underlying code probably works to create attacks.
I'd also be careful about inviting hacking attempts on an online site even if its yours - online attempts at hacking are technically illegal in many countries. In any case it's far more effective to give someone the source code to review than have them bumbling through forms reverse engineering how your underlying code probably works to create attacks.
Re: how do you test a new site you had built for security
where do you find a pin tester?
- The_Anomaly
- Forum Contributor
- Posts: 196
- Joined: Fri Aug 08, 2008 4:56 pm
- Location: Tirana, Albania
Re: how do you test a new site you had built for security
The Open Web Application Security Project (OWASP) has a great top ten security flaws in sites. Reading all about those top ten, and utilizing the resources OWASP provides can give you a real good start.
- The_Anomaly
- Forum Contributor
- Posts: 196
- Joined: Fri Aug 08, 2008 4:56 pm
- Location: Tirana, Albania
Re: how do you test a new site you had built for security
The Open Web Application Security Project (OWASP) has a great top ten security flaws in sites. Reading all about those top ten, and utilizing the resources OWASP provides can give you a real good start.
- The_Anomaly
- Forum Contributor
- Posts: 196
- Joined: Fri Aug 08, 2008 4:56 pm
- Location: Tirana, Albania
Re: how do you test a new site you had built for security
The Open Web Application Security Project (OWASP) has a great top ten security flaws in sites. Reading all about those top ten, and utilizing the resources OWASP provides can give you a real good start.
Re: how do you test a new site you had built for security
What we really need is a 'top ten' list of security flaws. If only someone would link to one.

- The_Anomaly
- Forum Contributor
- Posts: 196
- Joined: Fri Aug 08, 2008 4:56 pm
- Location: Tirana, Albania
Re: how do you test a new site you had built for security
Wow. I was very afraid that would happen. For some reason the site didn't load after I pressed submit, but it appears it submitted again and again. 

That's just wrong on so many levelsWhat we really need is a 'top ten' list of security flaws. If only someone would link to one.
Re: how do you test a new site you had built for security
Unit Test. Google SimpleTest.
Edit: Or post a link to your site here
Edit: Or post a link to your site here
Re: how do you test a new site you had built for security
Unit testing isn't a security measure. A unit test only makes sure the code does what you want it to do - if you have a flaw in your logic (which is the most common reason for a security issue) unit tests will happily let it through.marcth wrote:Unit Test. Google SimpleTest.
Edit: Or post a link to your site here
- The_Anomaly
- Forum Contributor
- Posts: 196
- Joined: Fri Aug 08, 2008 4:56 pm
- Location: Tirana, Albania
Re: how do you test a new site you had built for security
Just today I'm actually get into Unit Testing, and I love the concept very dearly. However, how exactly would unit testing in particular be a solution to the question regarding testing a site for security flaws? I suppose you can make test cases for security situations, but from what I understand, the beauty of unit testing is that you can run and rerun them again and again to see if you broke something while refactoring. This would still apply in a security context, but not nearly as much as checking the site on a more global scale. For example, Unit Testing wouldn't protect the site from SQL Injection, nor would it check to see if he's not filtering a certain input.marcth wrote:Unit Test. Google SimpleTest.
Edit: Or post a link to your site here
EDIT: Bah, beaten.
Re: how do you test a new site you had built for security
You are 100% correct. However, the original post said:onion2k wrote:Unit testing isn't a security measure. A unit test only makes sure the code does what you want it to do - if you have a flaw in your logic (which is the most common reason for a security issue) unit tests will happily let it through.marcth wrote:Unit Test. Google SimpleTest.
Edit: Or post a link to your site here
In my opinion, the best way to test the code for security vulnerabilities is via unit teststloftis wrote:how do you test a new site you had built for security?
are any of you guys able to attempt to hack into it?
I want to make sure it is safe.
Re: how do you test a new site you had built for security
Right.. you mean like writing a test to make sure known exploits like an SQL injection don't work? Yeah, that would be quite sensible I guess. It wouldn't make your site secure per se, but it would check the security measures you have thought of are working.marcth wrote:In my opinion, the best way to test the code for security vulnerabilities is via unit tests