Hacker News new | comments | show | ask | jobs | submit login
Ask YC: What do you use for penetration testing?
6 points by inovica on Mar 17, 2009 | hide | past | web | favorite | 2 comments
Hi there. We were approached by a 'security company' for penetration testing one of our PHP applications. Just wondering what you use for testing server and applications?

Before thinking seriously about doing a penetration test think about the following:

- Have you coded against malicious input? - Does your code intentionally stop the various types of cross-site scripting? - Have you done a code audit to check that this is the case?

I'm probably skipping over a bunch of other things you can do to make a site more secure, but you may want to consider the above before talking about penetration testing.

Getting broken into by a penetration tester means that your site is in some way insecure. Not getting broken into doesn't mean that your site is secure - there could be a vulnerability that the pen company didn't know about.

I would suggest maybe following some of the blog thought about computer security (I follow Bruce Schneier, Coding Horror has some good posts occasionally, ymmv).

That and pen tests by a company cost money.

If I had anything to seriously test, I'd probably start with: http://w3af.sourceforge.net/

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact