Jump to content
Larry Ullman's Book Forums

Any Companies Who Test Your Sites Security?


Recommended Posts

I really like your book!

 

I wish I knew PHP & MySQL as well as you do!

 

Anyway, I intend to have an e-commerce site going someday and security is of course something I'm paranoid about.  I don't trust myself with handling all the security because I'd never feel peace of mind.

 

Are there companies who test the security of your website for you?  You know... who try to mess things up, look for holes, try to get the information you're protecting, etc., then report to you what needs to be changed.

 

You'd have to trust these companies of course...

 

Thanks

Link to comment
Share on other sites

  I have seen various security test suites available on line to test your sites security, but I have not tried any of them. I recently had a very interesting experience at my programming job. A "junior programmer" I guess would describe where I fit into the food chain at work.  I mainly write MySQL data mining scripts and HTML/PHP scripts to display various business metrics reports for upper management. One week from rolling out this project that has taken 6 months to complete, I was asked to spend all my time searching for bugs in this web application. The first thing I did was test if the public pages were protected against SQL injection and XSS attacks. The XSS attack I launched disabled the application entirely. I could drop tables with a single line of code  with my SQL injection test. The public log in page could be circumvented with 5 clicks of the mouse button and I could get in as "administrator" and delete clients, add bogus data, type in offensive garbage etc.  If I did log in as a "legal" member, I could simply go to the address bar and change the user_id in the query string and suddenly be in someone else's account to do all the damage I wanted to do. The development team didn't mean for me to test security, they were looking for hidden bugs and UI issues in general.

  I do believe that the senior programmers were so focused on the guts of the web application and the looming roll out date that some very, very basic security issues were..well..overlooked? 

 Test it yourself first. I would advise using the techniques in Larry's "PHP and MySQL for Dynamic Web Sites" for a start and google for more info on various attacks. That is what the hackers are doing..lol. Also, if you know a programmer you can trust, let them work with you and let them try to hack your site..before a major roll out. By the way, I learned all this from Larry's book. Whenever I would thumb though the book at work for a various technique, I could see the senior programmers rolling their eyes. Guess who is rolling their eyes now? The book saved some launch day embarrassment for the development team and made me look like a freakin' genius. Never underestimate a noob! Thanks Larry!  

  • Upvote 1
Link to comment
Share on other sites

Guest Deleted

Holy shiz maybe they "faked it" to get to their senior developer positions. How could anybody that knows what they are doing make the mistakes they did 0_0 It's like they had no concept of security. That's something you're supposed to learn when you're a total novice. If they really are talented coders then they must live under a rock. I can hardly Google something about PHP without reading something that reminds me about security. People talk about it all the time. I'm frequently reminded that if I ignore security, I'm a dumb butt, lol.

 

Tell me...do they come from the ranks of the self righteous programmers that think they are better than everybody else?

Link to comment
Share on other sites

Tell me...do they come from the ranks of the self righteous programmers that think they are better than everybody else?

 Yes, that would describe the environment pretty well. I am learning some good stuff, but have learned to filter some bad coding practices that are used out of shear arrogance. I am as surprised as you about the nonchalant attitude toward security. It is quite baffling really. I am going to continue to do my job as best as I possibly can and hope I opened some eyes in the programming war room. 

Link to comment
Share on other sites

Guest Deleted

My general approach toward life is a cautious one and it's so hard for me to understand people who are reckless. I don't understand how people can take chances with their health, their finances, their driving, their coding, etc. Specifically, I could never smoke, make huge impulse purchases, drive 120 down the freeway, or ignore security without feeling incredibly worried that something bad will result. I've had to deal with enough nerve wracking situations in my life and the last thing I want to do is create more of them.

 

Maybe some people enjoy causing drama for themselves. Maybe they enjoy gambling with their careers, credit score, lives, etc. I don't. I don't want to go messing things up.

Link to comment
Share on other sites

Guest Deleted

Hey another_noob! I found a good visual representation of how those programmers wrote those scripts! LOL LOL LOL!! I laughed so hard.

 

Link to comment
Share on other sites

Thank you for your input guys!

 

I understand that doing the security myself would be best (if I knew PHP and MySQL as well as Larry Ullman), but as I mentioned, I don't know it well enough to be comfortable with that.

 

Are there any "website security test suites" that anyone can recommend and trusts?  I'd hate to come across some security test suite that just takes my money, then installs viruses into my website or something.  I think it's safe to assume there are bad guys out there who try to do malicious things such as that...

Link to comment
Share on other sites

Guest Deleted

Hmm, if you're not sure who to use, then why don't you give us a list of the companies you've been considering. We could go try to dig up reviews or other information on them.

Link to comment
Share on other sites

Haven't done any research yet.  Figured It'd be more time efficient if I got a head start with someone else's research if they had already gained experience with testing suites.

 

I like the video by the way Buttercream Cupcake.  LOL!

Link to comment
Share on other sites

Guest Deleted

I guess none of us have used a testing company before, then. I know I haven't.

 

And yeah, lol, that video was awesome. I saw it on YouTube and I just had to post it. It made me laugh so much :)

 

The take home message I got from it was, "Bad programming is a big mess that is left for somebody else to clean up."

Link to comment
Share on other sites

 Share

×
×
  • Create New...