Hi there. We were approached by a 'security company' for penetration testing one of our PHP applications. Just wondering what you use for testing server and applications?
Before thinking seriously about doing a penetration test think about the following:
- Have you coded against malicious input?
- Does your code intentionally stop the various types of cross-site scripting?
- Have you done a code audit to check that this is the case?
I'm probably skipping over a bunch of other things you can do to make a site more secure, but you may want to consider the above before talking about penetration testing.
Getting broken into by a penetration tester means that your site is in some way insecure.
Not getting broken into doesn't mean that your site is secure - there could be a vulnerability that the pen company didn't know about.
I would suggest maybe following some of the blog thought about computer security (I follow Bruce Schneier, Coding Horror has some good posts occasionally, ymmv).
- Have you coded against malicious input? - Does your code intentionally stop the various types of cross-site scripting? - Have you done a code audit to check that this is the case?
I'm probably skipping over a bunch of other things you can do to make a site more secure, but you may want to consider the above before talking about penetration testing.
Getting broken into by a penetration tester means that your site is in some way insecure. Not getting broken into doesn't mean that your site is secure - there could be a vulnerability that the pen company didn't know about.
I would suggest maybe following some of the blog thought about computer security (I follow Bruce Schneier, Coding Horror has some good posts occasionally, ymmv).
That and pen tests by a company cost money.