Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


security checklist

Posted on 2005-05-11
Medium Priority
Last Modified: 2010-04-01
Dear experts,
We are developing a huge and critical web site with jsp, our customer looking for security checklist and measurement, any web site (company ) that help to check our code security ( running code) and provide full report?
Also to provide check list for any important points or security holes to us to check it against our code...

Any help will be highly appreciated..
Question by:ethar1
  • 3
LVL 29

Accepted Solution

bloodredsun earned 2000 total points
ID: 13979355
There are a number of good sites on the web the deal with this, and you can find a company who will do it with this search "http://www.google.co.uk/search?q=penetration+testing+web+applications"

Common issues you must deal with are:

Parameter manipulation : exposing the workings of your app via easily modifiable request parameters

Cookie tampering/snooping: allowing a hacker access on an old or re-used cookie

File accessibilty: not using directory protection so that hackers can see your source code (stroring in the root directory,not storing in the WEB-INF)

SQL injection/overloading: if your search box /username and pwd goes straight into an SQL statement rather than a stored proc or preparedStatement you may be vulnerable to this.

XsiteScripting: Javascript errors allowing insertion of text into your website from the request parameters

Phishing/Redirection: if there is any redirection on your site you must protect against hackers as they ca use this.

Known web server exploits: not so much to do witht he app but the server it uses. IIS is notoriously bad, Apache and Tomcat are not perfect but are much better

Author Comment

ID: 13979383
thnx bloodredsun ,
I am looking for specific company , a company that some one recommended..
LVL 29

Expert Comment

ID: 13979415
FYI: testing of websites is often refered to as "Tiger Attacks", "Tiger Team Attacks" or "White Hat Attacks" not just penetration testing.

Other aspects you should look at if your app is a critical one are:

Redundancy: server crash and fallover
Firewall/DMZ: natch
DDOS attacks: Distributed Denial Of Service. Several bookmakers have been on record stating that they have had people blackmail them by threatening DDOS attacks. Make sure that you have plans to deal with this inclucding filtering. Here's a great account of one, http://www.grc.com/dos/drdos.htm
LVL 29

Expert Comment

ID: 13979446
>>I am looking for specific company , a company that some one recommended..

Sure, I understand, it's smart to get a recommendation especially if you're going to be showing them your system. You might want to tell people in what region you are based without being too specific, in that case.

Unfortuantely,I can't recommend one as my company (a well known bank) has our own guys.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This applies to Dell but may also apply to other manufacturers as well. We ran across a few machines that just dropped recently it trust relationship with the server. After doing the basic removing and joining the domain again, it changed to No logo…
Herein one will find an aggregate of some of my experience building and deploying virtualization stacks both in standalone, clustered Hyper-V, clustered Hyper-V with a Scale-Out File Server (SOFS) backend, and Storage Spaces Direct (S2D).
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
Integration Management Part 2
Suggested Courses

577 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question