Page 1 of 2
how do you test a new site you had built for security
Posted: Mon Sep 22, 2008 8:51 pm
by tloftis
how do you test a new site you had built for security?
are any of you guys able to attempt to hack into it?
I want to make sure it is safe.
Re: how do you test a new site you had built for security
Posted: Tue Sep 23, 2008 3:04 am
by Mordred
Hire a professional pen-tester. There are two basic options to testing - blackbox (i.e. given only the URL) and whitebox (given the full source code). The two combined yield best results.
Re: how do you test a new site you had built for security
Posted: Tue Sep 23, 2008 3:12 am
by onion2k
Put it live and see what happens.
Oh, wait, no, that's just what my boss thinks is the right way.
Re: how do you test a new site you had built for security
Posted: Tue Sep 23, 2008 3:25 am
by Maugrim_The_Reaper
Best thing you can do is educate yourself on the security risks associated with any PHP application. Failing that you could hire someone else who already does. Look for security definitions of SQL Injection, Cross Site Scripting, Code Injection and Session Hijacking to get yourself started.
I'd also be careful about inviting hacking attempts on an online site even if its yours - online attempts at hacking are technically illegal in many countries. In any case it's far more effective to give someone the source code to review than have them bumbling through forms reverse engineering how your underlying code probably works to create attacks.
Re: how do you test a new site you had built for security
Posted: Tue Sep 23, 2008 6:37 am
by tloftis
where do you find a pin tester?
Re: how do you test a new site you had built for security
Posted: Fri Sep 26, 2008 3:12 am
by The_Anomaly
The Open Web Application Security Project (OWASP) has a great
top ten security flaws in sites. Reading all about those top ten, and utilizing the resources OWASP provides can give you a real good start.
Re: how do you test a new site you had built for security
Posted: Fri Sep 26, 2008 3:13 am
by The_Anomaly
The Open Web Application Security Project (OWASP) has a great
top ten security flaws in sites. Reading all about those top ten, and utilizing the resources OWASP provides can give you a real good start.
Re: how do you test a new site you had built for security
Posted: Fri Sep 26, 2008 3:13 am
by The_Anomaly
The Open Web Application Security Project (OWASP) has a great
top ten security flaws in sites. Reading all about those top ten, and utilizing the resources OWASP provides can give you a real good start.
Re: how do you test a new site you had built for security
Posted: Fri Sep 26, 2008 4:53 am
by onion2k
What we really need is a 'top ten' list of security flaws. If only someone would link to one.

Re: how do you test a new site you had built for security
Posted: Fri Sep 26, 2008 8:02 am
by The_Anomaly
Wow. I was very afraid that would happen. For some reason the site didn't load after I pressed submit, but it appears it submitted again and again.
What we really need is a 'top ten' list of security flaws. If only someone would link to one.

That's just wrong on so many levels

Re: how do you test a new site you had built for security
Posted: Fri Sep 26, 2008 8:07 am
by marcth
Unit Test. Google SimpleTest.
Edit: Or post a link to your site here

Re: how do you test a new site you had built for security
Posted: Fri Sep 26, 2008 8:26 am
by onion2k
marcth wrote:Unit Test. Google SimpleTest.
Edit: Or post a link to your site here

Unit testing isn't a security measure. A unit test only makes sure the code does what you want it to do - if you have a flaw in your logic (which is the most common reason for a security issue) unit tests will happily let it through.
Re: how do you test a new site you had built for security
Posted: Fri Sep 26, 2008 8:27 am
by The_Anomaly
marcth wrote:Unit Test. Google SimpleTest.
Edit: Or post a link to your site here

Just today I'm actually get into Unit Testing, and I love the concept very dearly. However, how exactly would unit testing in particular be a solution to the question regarding testing a site for security flaws? I suppose you can make test cases for security situations, but from what I understand, the beauty of unit testing is that you can run and rerun them again and again to see if you broke something while refactoring. This would still apply in a security context, but not nearly as much as checking the site on a more global scale. For example, Unit Testing wouldn't protect the site from SQL Injection, nor would it check to see if he's not filtering a certain input.
EDIT: Bah, beaten.
Re: how do you test a new site you had built for security
Posted: Fri Sep 26, 2008 8:32 am
by marcth
onion2k wrote:marcth wrote:Unit Test. Google SimpleTest.
Edit: Or post a link to your site here

Unit testing isn't a security measure. A unit test only makes sure the code does what you want it to do - if you have a flaw in your logic (which is the most common reason for a security issue) unit tests will happily let it through.
You are 100% correct. However, the original post said:
tloftis wrote:how do you test a new site you had built for security?
are any of you guys able to attempt to hack into it?
I want to make sure it is safe.
In my opinion, the best way to
test the code for security vulnerabilities is via unit tests

Re: how do you test a new site you had built for security
Posted: Fri Sep 26, 2008 8:35 am
by onion2k
marcth wrote:In my opinion, the best way to
test the code for security vulnerabilities is via unit tests

Right.. you mean like writing a test to make sure known exploits like an SQL injection don't work? Yeah, that would be quite sensible I guess. It wouldn't make your site secure per se, but it would check the security measures you have thought of are working.