how do you test a new site you had built for security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

marcth
Forum Contributor
Posts: 142
Joined: Mon Aug 25, 2008 8:16 am

Re: how do you test a new site you had built for security

Post by marcth »

onion2k wrote:
marcth wrote:In my opinion, the best way to test the code for security vulnerabilities is via unit tests :)
Right.. you mean like writing a test to make sure known exploits like an SQL injection don't work? Yeah, that would be quite sensible I guess. It wouldn't make your site secure per se, but it would check the security measures you have thought of are working.

More importantly, if someone comes around, modifies your code and introduces a security vulnerability, your existing unit test will expose it immediately.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: how do you test a new site you had built for security

Post by Mordred »

The point of existence of security flaws is that the programmer didn't think that the particular vulnerability exists in his code, so what is basically proposed with the idea of unit testing for security is that the programmers should know of (and know how to test for) every possible vulnerability out there. Would be nice, wouldn't it!

Apart from that, vulnerabilities may arise from strange border cases between different modules, so these would lie outside of the scope of unit testing.

No. Security measures should be general, and apply to the whole software. There are automated ways of testing for certain types, and these may help in educating the programmer, but not in actually "fixing" the code. What I mean is that - yes - a scanner will detect a vulnerable place, but if you patch it, you haven't fixed the vulnerability, you've just fixed one instance of it. Instead one should educate himself about the vulnerability and take general measures against it, so it would never happen again.
Post Reply