I am nearly finished a web application. I need to test it and find the security issues before it release. Is there any methods / guideline to do this kind of testing? Or is there any tools to help me check my application is ready to go online? Thank you.
I would say:
- check that there are no warnings or errors even in strict mode (error report).
- In case you store any sensitive data (as passwords, credit cards, etc.) be sure they are encrypted with non-standard algorithms. Use SSL and try to be somehow paranoid with it.
- Set your database with specific accesses by action and hosts, and do not use root account.
- Perform exhaustive testing (use unit test when possible). Involve as many people you can.
- Test it under the main browsers (Firefox, Chrome, Opera, Safari, IE) and if have time in others.
- Validate all your HTML/CSS against standards (W3C). (recommendable)
- Depends on the platform you are using, there are profilers which can help you identify bottlenecks in your code. (can be done in later stages).
- Tune settings for your web server / script language.
- Be sure it is search-engine friendly.
- Pray once is online :)
This is not a complete list as it depends in:
- which language/platform/web server you are using.
- what kind of application you developed (social, financial, management, etc.)
- who will use that application (the entirely world, an specific company, your family or just you).
- are you going to sell it? then you must have at least most of the previous points.
- is your application using very sensitive information (as credit cards)? if so, you should pay for some professional (company?) to check your code, settings and methods.
This is just my opinion, take it as it is. I would also like to hear what other people suggests.
Good Luck
As well as what's already been suggested, depending on what type of application it is, you can use a vulnerability scanner to scan your application for any vulnerabilities that could lead to hackers gaining entry.
There are quite a few good scanners out there, but note when using them that the results may or may not be 100%. It's hard to say.
For a list of scanners, commercial and free, see: http://projects.webappsec.org/Web-Application-Security-Scanner-List
For more information on scanners: http://en.wikipedia.org/wiki/Web_Application_Security_Scanner
Good luck.
Here you can find a practical checklist to use before launching a website
http://launchlist.net/
And here is a list of all the stuff you forgot to test
http://www.thebraidytester.com/downloads/YouAreNotDoneYet.pdf