
Ask HN: So you release your new site. How do you know it's not wide open? - hoodoof
You&#x27;ve built and deployed some new website.<p>How the heck do you know you haven&#x27;t built something with wide open security holes?<p>Hope?
======
viraptor
Do a lot of reading and reviews. And then more reading. Start here:
[https://www.owasp.org/](https://www.owasp.org/)

Specifically the TOP 10 webapp issues may be helpful:
[https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet](https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet)

Read your framework's security guide and adjust the settings properly. (for
example
[https://symfony.com/doc/current/security.html](https://symfony.com/doc/current/security.html)
\- every framework should have one)

Scan your dependencies for known security issues (gemnasium,
sensiolab/security-checker, etc).

Scan your code with tools reporting security issues (like
[https://github.com/openstack/bandit](https://github.com/openstack/bandit) for
python, or
[https://github.com/HewlettPackard/gas](https://github.com/HewlettPackard/gas)
for go).

Based on OWASP make sure bad things are banned in your code - no
unparametrised queries, no manual crypto, no cookies without httponly, only
modern, salted hashing for passwords, etc. Reuse as much as possible from the
framework, because it's less likely to be vulnerable than new code.

Scan the website tools that can automate finding some common issues for you
(ZAP, ratproxy, etc.)

Read the secure development guide
[https://github.com/OWASP/DevGuide](https://github.com/OWASP/DevGuide)

Hire me to do an audit? (contact in profile)

