My situation is this. I outsourced a fairly large project. We have just finished up and im sure there are security holes all over the place. I actually had someone run some software and found minor mysql injections issues.

My question is this. From a subjective view (im not technical) what would be the best/smartest way to have someone who knows hacking review my code and give me instructions on fixes.

Currently i have

-ran software (that guy was good but got busy and bailed on me)

-posted some jobs on elance (about 2-3 highly reviewed people bid but still not sure if its the smartest route.

-finally there is a good college nearby with a really good computer science department. Tomorrow i plan on driving there and trying to get an undergrad to start reviewing code.

I would like to hear some feedback, from a non technical standpoint, knowing what you all know, what is the best strategy to securing my website up. Over 500 hour project so far, so pretty big. I noticed when it was too late they are using some GET and POST variables where most likely they shouldn't be. So again, id appreciate the feedback.

Talking about proprietary vectors, there's also Hatforce  (There's both public and private / trusted tests, contact them for more info.)

Anyway, I do suggest that you either go through the code, or get someone else to do it. Don't make a program do it for you naturally, as it may as you say, contain several vulnerabilities.

This depends on the developer, if he or she is skilled at writing secure code to protect against (at least) the most common attack vectors nowadays.

It sounds like a good idea to e.g., give an undergrad or someone else a look at your code, but keep in mind, that if this person whether he or she says they know infosec or not, doesn't make it hackproof.

For the most optimal security, you need at least one (skilled) ethical hacker (NOT certified ethical hacker), penetration tester, code reviewer, etc., to test your application. In other words, you need someone who "loves" information security (infosec), who knows their field, and capable of mitigating any risks in the app.

The best way, is to either:
A) Make your app open source so anyone can read the source and hope some hackers review it and make advisories
B) Hire an external company
C) Use it on a website and wait until someone might hack it. (Some companies seems to go with this option, even though I don't recommend it  )

The unfortunate reality of this situation is that securing the application at this point is going to be more time-consuming and expensive since security was an afterthought. I'm not trying to rake you over the coals, but you would have been in a much better position had security been a consideration (and priority) from the start.

If you're serious about this, you should probably avoid students and people looking for work via reverse-auctions online. This type of service requires years of experience and a high level of expertise.

This has now become a business decision where you must weigh the costs of delaying your launch and paying a high cost for professional services to going live immediately and risking an incident that may cause a loss of reputation, or worse scenarios.

You also have to consider the type of data you'll be protecting. Any type of incident is obviously undesirable, but there's a significant difference in impact when you compare an image hosting service and an online banking service. The amount of time and money you invest into security should be proportional to criticality of the data you're trying to protect. You might want to try conducting an informal risk assessment in order to estimate some numbers.


This is kind of an inside joke. It's a broad certification, and despite it's name, it's really not an accurate indicator of someone's actual skills. That's not to imply that all CEHs are unskilled, just that you shouldn't take it at face value and should also considered other certs, education, work experience, etc.

500 hours total of coding is a project is nothing. That's not a big project.

Reading your post makes me feel that you want the best of the world without paying anything.

"If you give peanuts you get monkeys"

Good luck.