-3

I have a project that will eventually be posted as a public service online. Security is a big concern, and I don't have a lot of experience hardening systems and code for public scrutiny. Is there some established community that I can expose a test instance of my product to in order to test the security? Or has anyone had any experience organising a public "hack my server" session?

Phyxx
  • 425
  • 5
  • 10
  • Advice on where to test it and how, depends on what your product is? Do you want the code tested, because it's something you've written your self? – jwbensley May 28 '12 at 21:37
  • 7
    Put it live and post the URL to 4chan along with the phrase "Do your worst." – SmallClanger May 28 '12 at 21:47
  • 1
    @SmallClanger, that's a good one! – HTTP500 May 28 '12 at 21:51
  • Exposing a code of your buggy application for some unknown community isn't a good idea. If you have doubs about haw secure is your code look for some profesional auditors. You didn't write what type of apps you will be using (windows linux apache, nginx, mysql php ???) – B14D3 May 28 '12 at 21:53
  • 1
    Some more detail would be appreciated. I also suggest looking around on http://security.stackexchange.com – Lucas Kauffman May 28 '12 at 22:03
  • @B14D3 yep, but that wasn't the question ;-) – Tom May 28 '12 at 22:44
  • 1
    The best way to get it hacked would be to place it on the Internet and wait a little while. :) – John Gardeniers May 29 '12 at 00:45

1 Answers1

3

What you're looking for is a combination of penetration testing and code security review.

There are a lot of companies and freelance individuals who will do a pentest for you, for a price. Depending on what you're trying to secure (webapp, payment gateway, physical box, hosted VM, entire network, etc) there may be certain regulations which need to be followed. You'll also have to liase with your hosting provider, since they don't like random people sniffing around in their network.

A code security review, on the other hand, requires in-depth knowledge of your codebase and security concepts, so most companies hire a security developer (or contract one in) for this kind of role. They'll need to get comfortable with your entire application and network, then do a detailed analysis of any potential security issues within the code or infrastructure.

Polynomial
  • 259
  • 2
  • 9