Website Security Without Breaking the Bank? 195
An anonymous reader writes "I do my own Web design and have a few websites — MySQL, PHP, CSS, HTML, that kind of thing. It's simple, amateur stuff, but I would love to have some reasonable ways to assess their security myself and patch the big holes, or possibly enlist someone to do 'white hat' work to assist me. I have absolutely no idea how to proceed. I don't want to get mired in a never-ending paranoia-fueled race to patch holes before the hackers find them, but on the other hand, I don't want my websites to look like Swiss cheese. Right now, I wouldn't know what kind of cheese they look like: Swiss, Havarti, or hard as Parmesan. How can I take reasonable steps to protect these websites myself? What books has the community found useful? What groups (if any) can offer me inexpensive white-hat hacking that won't end up costing me a first-born child? Or am I better off just waiting until a problem arises and then fixing it?"
Hi Slashdot (Score:-1, Funny)
3rd reply to this post tellsw me whag I should do tomorrow. As always, pictures will be posted.
Well, for starters... (Score:5, Funny)
What's the URL? ;)
Re:Well, for starters... (Score:3, Funny)
Re:Hi Slashdot (Score:5, Funny)
Re:if you wait until it happens... (Score:4, Funny)
Attack with all your might .. (Score:5, Funny)
http://127.0.0.1/ [127.0.0.1]
Enjoy.
Re:Attack with all your might .. (Score:5, Funny)
Wow, I didn't know so much porn could be so free.
Some of the models look a little young though, are you sure they are all legal at that site?
Anyways, thanks for the tip.
Re:Attack with all your might .. (Score:2, Funny)
Bah. I already have all that, and I think I might have a bit more even.
I can't believe there's anyone out there as much into... erh... what was that IP again?
Ask the experts (Score:2, Funny)
Re:Better tools, good process, learning from other (Score:3, Funny)
You can write insecure websites using pretty much any tools, but if you're using MySQL and PHP, especially if you're using other peoples code in your app, you're probably going to end up with a security nightmare, regardless of how hard you try.
Taken to the extreme you could prepare you own active page servlet using FORTRAN and obfuscate the binaries, randomize query url generation, and run everything on your server through a microkernel operating system where you change all of the system calls and commands to things only you know.
Then operate your website entirely anonymously with tenneling through tor between your actual webserver and the server putting up your domain.
simple, effective starting point (Score:5, Funny)
http://xkcd.com/327/ [xkcd.com]
WITHOUT breaking the bank? (Score:3, Funny)
The banks are already broken. Too late.
Re:Hi Slashdot (Score:4, Funny)
Buy everyone on /. a pony
I could do with the extra protein.