Who to hire to test security of php site?

[ashattuc]

Hello,

Are there firms out there that will actively try to crack a php-based site as a service? I'd love to know if I could hire someone to test out a couple of my sites for at least the most common security vunerabilities.

Thanks!
Chris

[superuser2]

A real actual person thinking creatively and putting in effort is going to cost $$$$$$. Most "web security" companies/consaultants use a web scanner:

http://www.acunetix.com/

https://chorizo-scanner.com/

To name a couple.

[HarryR]

Personally I think Acunetix is a sub-par product, whereas Chorizo scanner isn't very useful from a blind perspective.

Although the automated scanners can be useful (as an initial discovery and spidering utility), eventually it comes down to a real person manually going through the website and analysing possible problems.

But yah, it costs a lot of money to do this sort of thing because 1) it's time consuming and 2) because the skill level required is high.

I could probably offer to go through a couple of your sites, but I'm not a full time security consultant, so although my PHP & general security knowledge may be up to scratch - it just wouldn't compared to what's offered by the professional security consultants.

[kyberfabrikken]

Security isn't something that you apply as a separate layer, on top of the application; It's part of the application design, and as such not something you can specialise in. Basically, you need a competent programmer to go through the code, and look for issues.

[Mandes]

Basically, you need a competent programmer to go through the code, and look for issues.

....... and we're back to spending money again.....

[superuser2]

What about something like the hack-a-mac challenge? Put up a reward for someone who can steal admin access and then tell you how they did it.

Although I don't know what your webhost would say to that, so I'm not sure.

[ashattuc]

Good call, superuser2! That's exactly the kind of idea I was looking for. Mad props!

Thanks!
Chris