website Security

Hi Guys,

My fathers company are havin a new website built and I'd like to be able to check it over for security issues when it is eventually finished (it'll take approx 6 months to complete. My old man is a bit indecisive!)

In the meantime I'd like to learn about website security, attacks, preventions etc. Can you point me in the correct direction, and to the kind of tools I will need?

Cheers,

R

I will just drop some pointers which are by no means exhaustive.

1. Will the website be hosted internally by your father's company or on external servers? If on external servers, are they dedicated to your father's company, or shared with other companies?

The answers to the above questions will determine who is responsible for firewalling and gateway security arrangements as well as whether you will be able to obtain permission to carry out any required penetration tests.

2. The application stack i.e. Windows/IIS/ASP/SQL Server, Linux/Apache/My Sql/PHP, etc as this will determine what types of tests, vulnerabilies to look for.

3. Useful tools are:
Nikto : an Open Source (GPL) web server scanner
Nessus
Nmap

Also check out this book which I recently reviewed on Apache security, and this one which was reviewed by The Bishop.

I was just about to recommend that book but you beat me to it. It would be an excellent investment for exactly this scenario. Check out the Firewall.cx book reviews section for the review