Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask YC: What do you use for penetration testing?
6 points by inovica on March 17, 2009 | hide | past | favorite | 2 comments
Hi there. We were approached by a 'security company' for penetration testing one of our PHP applications. Just wondering what you use for testing server and applications?



Before thinking seriously about doing a penetration test think about the following:

- Have you coded against malicious input? - Does your code intentionally stop the various types of cross-site scripting? - Have you done a code audit to check that this is the case?

I'm probably skipping over a bunch of other things you can do to make a site more secure, but you may want to consider the above before talking about penetration testing.

Getting broken into by a penetration tester means that your site is in some way insecure. Not getting broken into doesn't mean that your site is secure - there could be a vulnerability that the pen company didn't know about.

I would suggest maybe following some of the blog thought about computer security (I follow Bruce Schneier, Coding Horror has some good posts occasionally, ymmv).

That and pen tests by a company cost money.


If I had anything to seriously test, I'd probably start with: http://w3af.sourceforge.net/




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: