how to make sure other programmers don't put backdoors and callbacks in my site!

Question

How can I look for any client side call backs in javascript. I have people adding javascript code for me. how do I make sure they are not somehow sending confidential data or user info to their sites through client side POST, GET, AJAX or any client side methods!

How would I do the same thing for my server side code like to see my php programmer is not doing the same thing!??

I thought of having some firewall maybe apache log or something that would log or even block any outside contact over certain ports and log the ones that can't be blocked like port 80 and 8080, however I don't know how to get about this! Same thing with the client side, if could browse the site and have my computer show any callbacks. I have the live http header extension for firefox but I was wondering if there is an easy way! and my whole concept is faulty as any smart programmer would make it so that it doesnt do this all the time so it might go unnoticed! I'm just wondering if their is a list of all the possible javascript and php functions that could be dangerous! I would really appreciate an answer to any of these questions. Thank you so much!

Answer 1

Use the Firebug extension for Firefox, and enable the console. It will show you any ajax POST or GET requests.

Answer 2

1. Check every checkin/do code reviews.
2. If you can't trust your programmers, look for different programmers.

Answer 3

if you know some level of programming, do CODE REVIEW.

Answer 4

Maybe not a direct answer, but related... As I answered here, you should check out the book Ajax Security. I don't recall if it specifically deals with your direct concern of personnel trust, but it does deal with many concrete issues of security in this area and may give you some good ideas for things to watch for, or preventative measures to take.