Ask HN: Security when taking over hosting and development of a client's site?
Here is what I have come up with so far:
* Malware scan to catch viruses and other stuff that may be hiding in executables, DLLs, etc. * Static analysis (with SonarQube or similar) to find unsafe eval's, potential SQLis, and more * Spin up the site in a sandbox and hit it with the most common automated tools (like Metasploit and W3AF) to catch ... well ... many things.
Of course, we will need to adjust the specifics to the site we are analyzing (we do different programming languages; also because a static HTML/CSS single-pager probably does not require static/dynamic analysis) but we are mainly concerned with establishing a baseline that we can then modify as needed.
I would love to hear your input on the tool and methodology choice, and also on the extent of the analysis—obviously we want to strike the right balance between value (to both ourselves and our customers) and cost/time spent.
References to good articles on the subject are also very much appreciated. Same goes for war stories and personal experiences.