How do I know if my web site is secure?

Discussion in 'other software & services' started by DonnEdwards, Sep 8, 2009.

Thread Status:
Not open for further replies.
  1. DonnEdwards

    DonnEdwards Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    36
    I have built and tested a web site that I'm quite proud of, and done my best to anticipate SQL Injection attacks and so on, but how do I know if my web site is secure? :doubt:

    Are there companies (or web services) who can audit the security? Is there a list of known issues with IIS7 or ASP.NET or SQL Server that I can test for? Since this is a Microsoft server there have to be bugs, right? :rolleyes:

    FWIW, the site is called http://www.mustang.co.za and I would be most grateful for any feedback on any security holes you might find. It's a shared server, so please don't do anything that would crash the server. But if there is anything you can do with HTTP calls or similar workarounds to display code or edit the data without permission, I would be most grateful for the feedback.

    Thanks in advance for any advice or information.
    Donn
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
  3. DonnEdwards

    DonnEdwards Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    36
    With all due respect the "answer" I got was meaningless:
    I asked what the "right searches" would be and got no reply. o_O

    If people in a "Security Forum" can't help me with a "security" question, where else should I ask?

    Surely people on this forum can recommend web sites or services they have used and found worthwhile?
     
  4. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
  5. DonnEdwards

    DonnEdwards Registered Member

    Joined:
    Nov 22, 2007
    Posts:
    36
    Thanks! That's awesome.

    I have also been looking, and found this article: Writing Secure ASP Scripts
    http://www.ngssoftware.com/papers/asp.pdf
    and this book: The Web Application Hacker’s Handbook ISBN 0-4701-70778
    http://www.ngssoftware.com/press-releases/the-web-application-hackers-handbook-published/

    I would also be interested to know whether anyone has tried this:
    http://www.beyondsecurity.com/vulnerability-scanner.html
    It seems very generic and isn't mentioned in the SoftwareQATest site.

    Thanks in advance
    Donn
     
  6. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
    I see that my smile is IRRESISTIBLE, like your ...

    The Great Shoot, Yeah! ...:D
     
  7. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Don,

    The website I work on (a national healthcare website that can be used to view healthcare records amongst other stuff) has to be black box penetration tested approx every 6 months

    I know in the past that a company called Vega (www.vega.co.uk) was used, but I honestly can't recomend anyone specific.
    I suspect that it would be costly.

    But by following common sense like you have done we have never had any major security issues from penetration testing.

    When I have time I can try and put together useful links and best practices (.net specific stuff as I am a asp.net expert) that we try to adhere to.

    Cheers, Nick.
     
  8. vijayind

    vijayind Registered Member

    Joined:
    Aug 9, 2008
    Posts:
    1,413
    3rd party PCI/Security scan certificates like McAfee Secure or Comodo HackerProof would be a good way to ensure your site is free from any loopholes/vulnerabilities on a daily basis.
     
Loading...
Thread Status:
Not open for further replies.