My fathers company are havin a new website built and I'd like to be able to check it over for security issues when it is eventually finished (it'll take approx 6 months to complete. My old man is a bit indecisive!)
In the meantime I'd like to learn about website security, attacks, preventions etc. Can you point me in the correct direction, and to the kind of tools I will need?
I will just drop some pointers which are by no means exhaustive.
1. Will the website be hosted internally by your father's company or on external servers? If on external servers, are they dedicated to your father's company, or shared with other companies?
The answers to the above questions will determine who is responsible for firewalling and gateway security arrangements as well as whether you will be able to obtain permission to carry out any required penetration tests.
2. The application stack i.e. Windows/IIS/ASP/SQL Server, Linux/Apache/My Sql/PHP, etc as this will determine what types of tests, vulnerabilies to look for.
3. Useful tools are: Nikto
: an Open Source (GPL) web server scanner Nessus Nmap
Also check out this book
which I recently reviewed on Apache security, and this one
which was reviewed by The Bishop.