How do I know if my web site is secure?

I have built and tested a web site that I'm quite proud of, and done my best to anticipate SQL Injection attacks and so on, but how do I know if my web site is secure?

Are there companies (or web services) who can audit the security? Is there a list of known issues with IIS7 or ASP.NET or SQL Server that I can test for? Since this is a Microsoft server there have to be bugs, right?

FWIW, the site is called http://www.mustang.co.za and I would be most grateful for any feedback on any security holes you might find. It's a shared server, so please don't do anything that would crash the server. But if there is anything you can do with HTTP calls or similar workarounds to display code or edit the data without permission, I would be most grateful for the feedback.

Thanks in advance for any advice or information.
Donn

 

You already asked that:
https://www.wilderssecurity.com/showthread.php?t=248789

The same answers hold.

Cheers,
Mrk

 

With all due respect the "answer" I got was meaningless:

I asked what the "right searches" would be and got no reply.

If people in a "Security Forum" can't help me with a "security" question, where else should I ask?

Surely people on this forum can recommend web sites or services they have used and found worthwhile?

 

Maybe ... WEB Test Tools here: http://www.softwareqatest.com/qatweb1.html

Is sufficient this response?


P.

 

Thanks! That's awesome.

I have also been looking, and found this article: Writing Secure ASP Scripts
http://www.ngssoftware.com/papers/asp.pdf
and this book: The Web Application Hacker’s Handbook ISBN 0-4701-70778
http://www.ngssoftware.com/press-releases/the-web-application-hackers-handbook-published/

I would also be interested to know whether anyone has tried this:
http://www.beyondsecurity.com/vulnerability-scanner.html
It seems very generic and isn't mentioned in the SoftwareQATest site.

Thanks in advance
Donn

 

I see that my smile is IRRESISTIBLE, like your ...

The Great Shoot, Yeah! ...

 

Don,

The website I work on (a national healthcare website that can be used to view healthcare records amongst other stuff) has to be black box penetration tested approx every 6 months

I know in the past that a company called Vega (www.vega.co.uk) was used, but I honestly can't recomend anyone specific.
I suspect that it would be costly.

But by following common sense like you have done we have never had any major security issues from penetration testing.

When I have time I can try and put together useful links and best practices (.net specific stuff as I am a asp.net expert) that we try to adhere to.

Cheers, Nick.

 

3rd party PCI/Security scan certificates like McAfee Secure or Comodo HackerProof would be a good way to ensure your site is free from any loopholes/vulnerabilities on a daily basis.