Where can I get a security code review for free?

+8 A:

post a message on a hackers board saying that your website can not be cracked.. you'll have response soon enough. make sure you are on a dedicated server though ;-)

edit: also see my comment below..

MiRAGe 2009-04-23 20:40:14

That's not really an audit.

Joe Philllips 2009-04-23 20:42:28

Woah! That was my exact idea.Two things I'd like to add: first, you probably won't get helpful feedback on how you got cracked, so make sure to be super certain you save the access logs. Second, be prepared to have the entire machine reformatted, or something ridiculous like that. Back the server up to a disk image, and keep the image somewhere safe (a disk in a closet, or something)... and restore the image as soon as you've fixed your bugs. Godspeed ;)

ojrac 2009-04-23 20:44:34

my answer was a bit cynical (thanks Bill Maher for that), but you could really ask some 'white hats' to audit your website. so not DDoS the crap out of it, but just some standard stuff. also, you could read up on some hacking tactics, and apply them to your website. thats how I started reading up on security a few years back, and it thought me a lot! especially about SQL injections and cookies.

MiRAGe 2009-04-23 20:47:11

That isn't going to help me fix it -- just help me find the problems.

Joe Philllips 2009-04-23 20:48:57

you do have to _find_ your bugs first, before you can fix them.. right?

MiRAGe 2009-04-23 20:50:24

"That isn't going to help me fix it -- just help me find the problems."You asked for an audit didn't you?

jim 2009-04-23 20:51:48

Generally an audit would come with recommendations. Otherwise it's just a hack attempt.

Joe Philllips 2009-04-23 21:01:06

you are right. but if you find the right people (or do it yourself) hacks do to. hack is just a very wrong word I used.. if you want to call it audit, that's also fine. the trick is just to identify the problems (doesn't matter _how_), and then find a way to fix them. even if you find only bugs without recommendations, you still have pointers to search for. search, identify, destroy. kill the bugs ;)

MiRAGe 2009-04-23 21:07:53

An actual audit won't tell you much about how to fix your problems, just what to fix -- it sounds like you're looking for some code review..?

ojrac 2009-04-23 21:26:03

I rewrote my question a little to make it clear I'm not looking for someone to tell me what my bugs are. I would prefer a code review.

Joe Philllips 2009-04-23 21:26:47

+5 A:

Use a freely available web scanner tool. Here's a list of some popular ones: Top 10 Web Vulnerability Scanners

This will at least get you started - though it's certainly not an acceptable replacement for a full security audit if your application NEEDS to be secure. You'll need to pay money for a real audit, though.

You may find the OWASP site helpful as well.

pix0r 2009-04-23 20:54:52

+3 A:

You can use the Firefox plugin suite by Security Compass. Also, the forum at PHP Freaks also has a section where you can ask others to try to hack your site.

VirtuosiMedia 2009-04-23 20:57:08

A:

Find smart folks that know web application security, specifically with respect to php/MySQL. Ask them to code review. The scanners are good, but they will miss some things. Because you are doing this for a non-profit, I'm sure there are some security researchers who will be sympathetic to the cause of the non-profit who will donate time accordingly, just as you basically are.

K. Brian Kelley 2009-04-23 20:59:15

How do you know if they are smart or not? If I already knew smart people I would already have asked them.

Joe Philllips 2009-04-23 21:20:22

If they're doing it for free, take what you can get and build on their suggestions. If they're actively involved in the scene their time/input is worthwhile, even if only as a foundation. IF they're not actively involved, use their audit as a user-/UI-test.

David Thomas 2009-04-23 22:27:11

+2 A:

You should cover the major 'bases' in regards to web application security:

[SQL Injection] - Make sure you use parameterized SQL Queries, not just string concatenation. i.e. This is bad: "Select Login FROM Users WHERE Login = '" . $_POST['Login'] . "'"
[XSS] - Make sure if a user puts in something like this: <script>alert('hi');</script> into one of your fields, it doesn't cause a javascript alert when you display that on a page. Escape data that may have come from a user before outputting: echo h($variable);
[CSRF] - Try to keep anything things out of cookies, use tokens that can be validated on form submissions (this is a bit harder to demonstrate on 1 line).
Cookies, hidden fields or anywhere else exposed to the user is not a good place to put anything important or anything that provides access to something.
Keep your servers all patched up and backed up.

These are just a few things off the top of my head, they are no where near all inclusive. Also, keep in mind that security is something that you need to work on through the entire time you are developing an application. It isn't something that just gets reviewed at the end of a project. Also, keep learning and reviewing various hacking methods - they are continually creating new ways to hack, we need to continue to keep vigilant and modify how we program to keep things secure.

Redbeard 0x0A 2009-04-23 21:02:51

How would I find the correct way to protect against those using PHP?

Joe Philllips 2009-04-23 21:08:20

The correct way depends on the context in which the data is being used, but check your database API for parameterization and use htmlspecialchars for escaping all text as it is output (if user formatting is required, use a system like BBCode for this so you can escape before adding the formatting HTML.

Michael Madsen 2009-04-23 21:18:12

or use htmlpurifier instead of bbcode

Schnalle 2009-04-24 07:53:46

I believe this snippit is the php to prevent XSS when outputting data to the web browser :: <?php echo h($somevar); ?> It has been quite a while since I have used php, you should be able to find some other examples out on the internets.

Redbeard 0x0A 2009-04-28 14:15:46

+3 A:

Don't be afraid to post your code all over the internet. Your site is not up yet, so anyone who finds a hole and tells you is a good guy. More eyes on your code is a good thing.

Ian 2009-04-23 21:15:40

I suppose that is one way to look at it.

Joe Philllips 2009-04-23 21:19:36

One possible issue is that some files are fairly large and random people from the internets won't want to stare at it very long.

Joe Philllips 2009-04-23 21:29:50

So the people that do are more likely to be interested and engaged?

David Thomas 2009-04-23 22:28:09

+2 A:

OWASP Open Review Project will review all code that is released as open source...

jm04469 2009-05-02 12:27:00

A:

send a mail to [email protected]. if you are hosting a non-profit site, they might audit your site for free.

badman 2010-03-24 07:55:23

ansaurus

tags:

views:

answers:

Where can I get a security code review for free?

related questions