security checklist

Posted on 2005-05-11
Last Modified: 2010-04-01
Dear experts,
We are developing a huge and critical web site with jsp, our customer looking for security checklist and measurement, any web site (company ) that help to check our code security ( running code) and provide full report?
Also to provide check list for any important points or security holes to us to check it against our code...

Any help will be highly appreciated..
Question by:ethar1
    LVL 29

    Accepted Solution

    There are a number of good sites on the web the deal with this, and you can find a company who will do it with this search ""

    Common issues you must deal with are:

    Parameter manipulation : exposing the workings of your app via easily modifiable request parameters

    Cookie tampering/snooping: allowing a hacker access on an old or re-used cookie

    File accessibilty: not using directory protection so that hackers can see your source code (stroring in the root directory,not storing in the WEB-INF)

    SQL injection/overloading: if your search box /username and pwd goes straight into an SQL statement rather than a stored proc or preparedStatement you may be vulnerable to this.

    XsiteScripting: Javascript errors allowing insertion of text into your website from the request parameters

    Phishing/Redirection: if there is any redirection on your site you must protect against hackers as they ca use this.

    Known web server exploits: not so much to do witht he app but the server it uses. IIS is notoriously bad, Apache and Tomcat are not perfect but are much better

    Author Comment

    thnx bloodredsun ,
    I am looking for specific company , a company that some one recommended..
    LVL 29

    Expert Comment

    FYI: testing of websites is often refered to as "Tiger Attacks", "Tiger Team Attacks" or "White Hat Attacks" not just penetration testing.

    Other aspects you should look at if your app is a critical one are:

    Redundancy: server crash and fallover
    Firewall/DMZ: natch
    DDOS attacks: Distributed Denial Of Service. Several bookmakers have been on record stating that they have had people blackmail them by threatening DDOS attacks. Make sure that you have plans to deal with this inclucding filtering. Here's a great account of one,
    LVL 29

    Expert Comment

    >>I am looking for specific company , a company that some one recommended..

    Sure, I understand, it's smart to get a recommendation especially if you're going to be showing them your system. You might want to tell people in what region you are based without being too specific, in that case.

    Unfortuantely,I can't recommend one as my company (a well known bank) has our own guys.

    Featured Post

    Enabling OSINT in Activity Based Intelligence

    Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Run jasper report from servlet 1 202
    rebasing and merging used in SCM 1 57
    gZip compression filter 2 74
    sortaSum challenge java 17 167
    It can often be challenging to stay relevant in the rapidly evolving world of technology. This can make recruiting talent difficult for companies of all sizes.
    I've been asked to discuss some of the UX activities that I'm using with my team. Here I will share some details about how we approach UX projects.
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

    728 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now