

Ask YC: What do you use for penetration testing? - inovica

Hi there. We were approached by a 'security company' for penetration testing one of our PHP applications.  Just wondering what you use for testing server and applications?
======
redcap
Before thinking seriously about doing a penetration test think about the
following:

\- Have you coded against malicious input? \- Does your code intentionally
stop the various types of cross-site scripting? \- Have you done a code audit
to check that this is the case?

I'm probably skipping over a bunch of other things you can do to make a site
more secure, but you may want to consider the above before talking about
penetration testing.

Getting broken into by a penetration tester means that your site is in some
way insecure. Not getting broken into doesn't mean that your site is secure -
there could be a vulnerability that the pen company didn't know about.

I would suggest maybe following some of the blog thought about computer
security (I follow Bruce Schneier, Coding Horror has some good posts
occasionally, ymmv).

That and pen tests by a company cost money.

------
apgwoz
If I had anything to seriously test, I'd probably start with:
<http://w3af.sourceforge.net/>

