How can I check the security of my website?
What are the best ways to avoid security holes?
-
- http://php-ids.org/
- http://pixybox.seclab.tuwien.ac.at/pixy/othertools.php
- Lots of reading on security papers
-
Javascript / SQL injections would be the first thing I'd safeguard against. Also keep in mind that there are possible holes if you let users upload files to the site. Also be wary of admin control panels (CPanel, etc) as they could be targeted to acts of brute forcing.
-
Check this question. And all the related questions in the right.
-
If you use any 3rd party libraries, make sure to be a subscriber to their news listings, and try be informed of their security notices.
I saw an entire server taken out by a vulnerability in a 3rd party PHP library once which really was not pleasant. This may seem obvious, but you'd be surprised the majority of people don't do this, which is why the invasions are so effective. :)
-
If you don't have the skill/resources to do your own security testing, I would recommend WebInspect. I am not sure of the price, but this is the best tool I have tested for web security testing. A lot of tools such as Nessus won't really help in your case, because they are looking mainly at known flows in the web server or in known packages.
benlumley : There are companies that offer this sort of testing on a regular basis as a service as well. -
Ratproxy :
A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
Detects and prioritizes broad classes of security problems, such as dynamic cross-site trust model considerations, script inclusion issues, content serving problems, insufficient XSRF and XSS defenses, and much more.
You use ratproxy while you use application as normal and it highlights potential security flaws.
0 comments:
Post a Comment