Siu Lun

I can almost garuntee you that most if not all, web development house do not perform security testing as part of the service to customers.

And

The reason being that this would drive the cost of the site up, and it is passed on to the customers. This means it would make their quote less attractive to potential customers.

But to be honest, unless you’re doing a simple html based website. You have to test for security. I know, a lot of it is actually down to the quality of developers to get it right first time.

The use of automated scanners are more and more common, but can they be relied upon? No. How would automated scanners be able to differentiate an unsuccessful $_POST / $_GET request? They can’t, they’re just programmed to do the testing based on most common methodologies. Therefore they’re not reliable.

Security scanners used in e-commerce sites like mcafee secure does help in detecting breaches of security, but does not prevent it from happening in the first place. It tries to by informing the administrators of potential security issues with software versions etc… used on the host, but if it happens, it happens.

Real security audit can only be done by the developers themselves having gone through or know of hacking methods. Even then, it is not 100% bullet proof. I guess that’s why there are companies out there that are basically formed by a group of hackers whom sole job is to attempt hacking everything.

These people unfortunately are far and few between.

The only thing that we web developers that cares can do is to quote like the nubins, then advice clients to take on security audits. There is so many security holes on the web. It’s practically a treasure trove for data theifs/pirates.

One common example: A member’s login/registration should always use SSL, but the number of websites that don’t do that is phenomenal. This means member’s passwords can be easily sniffed by intercepting network traffic.

Another example of the same problem: E-mails, e-mails are sent over the net in plain-text, unless you’ve encrypted it. Therefore they’re always interceptable. I have set up a PGP, but none of my clients know of it or would be able to handle using it, which means, I can’t use it.